Splunk Search

Difference between (_time) internal field and (timestamp) default field

Builder

Guys

I cant find the difference between _time internal field and timestamp default field in docs anywhere, Can someone help me with this
or are they same ?

Here is the link to Splunk doc which shows them differently.
https://docs.splunk.com/Documentation/Splunk/7.2.3/Data/Aboutdefaultfields

Thanks

0 Karma

Esteemed Legend

The timestamp that is presented to you is the _time value adjusted by your personal Time zone setting in you user settings.

0 Karma

Builder

Thanks for the answer

If you go through the above doc in the question, it says

Splunk will extract default fields like host,timestamp,source etc. & Internal fields like _time,_raw, etc. for every event at index time

I can see _time, linecount,punct all other internal & default field value for every event
but i dont see timestamp field value for any event.

& i am trying to understand diff between _time and timestamp field value for any event.

Can you explain me this or provide sample image which shows _time and timestamp field value for any event.

0 Karma

Motivator

Hello @PowerPacked

I guess you are talking about TIMESTAMP_FIELDS parameter in props.conf.
First of all TIMESTAMP_FIELD is a field in your data which will at the end contribute to _time. Like if you have some structured data where you have multiple time fields so you can specify which field should be _time. So we mention the TIMESTAMP field there.

For better understanding, refer this link:

https://docs.splunk.com/Documentation/Splunk/7.2.3/Admin/Propsconf

I hope this answers your question.

0 Karma

Builder
0 Karma

SplunkTrust
SplunkTrust

There is no "timestamp" default field. Are you able to supply more information about where you are seeing this field? It might be an indexed extraction or appearing because of some other reason.

Cheers

0 Karma

Builder
0 Karma

Builder

Yes they are indexed extractions default fields - but i would like to know diff between them

0 Karma

SplunkTrust
SplunkTrust

_time is the time of the event in epoch time.

the other fields such as date_hour and date_minute etc are just partial versions there to be helpful. For example, if you wanted to find out the most poular hour of the day in your data you can do this: SEARCH | stats count by date_hour . Now if you dont like these fields you can disable them by setting this in props.conf

ADD_EXTRA_TIME_FIELDS = [true|false]
* This setting controls whether or not the following keys will be automatically
  generated and indexed with events:
    date_hour, date_mday, date_minute, date_month, date_second, date_wday,
    date_year, date_zone, timestartpos, timeendpos, timestamp.
* These fields are never required, and may be turned off as desired.
* Defaults to true and is enabled for most data sources.
0 Karma