Splunk Search
Highlighted

Difference between (_time) internal field and (timestamp) default field

Builder

Guys

I cant find the difference between _time internal field and timestamp default field in docs anywhere, Can someone help me with this
or are they same ?

Here is the link to Splunk doc which shows them differently.
https://docs.splunk.com/Documentation/Splunk/7.2.3/Data/Aboutdefaultfields

Thanks

0 Karma
Highlighted

Re: Difference between (_time) internal field and (timestamp) default field

SplunkTrust
SplunkTrust

There is no "timestamp" default field. Are you able to supply more information about where you are seeing this field? It might be an indexed extraction or appearing because of some other reason.

Cheers

0 Karma
Highlighted

Re: Difference between (_time) internal field and (timestamp) default field

Builder
0 Karma
Highlighted

Re: Difference between (_time) internal field and (timestamp) default field

Builder

Yes they are indexed extractions default fields - but i would like to know diff between them

0 Karma
Highlighted

Re: Difference between (_time) internal field and (timestamp) default field

SplunkTrust
SplunkTrust

_time is the time of the event in epoch time.

the other fields such as date_hour and date_minute etc are just partial versions there to be helpful. For example, if you wanted to find out the most poular hour of the day in your data you can do this: SEARCH | stats count by date_hour . Now if you dont like these fields you can disable them by setting this in props.conf

ADD_EXTRA_TIME_FIELDS = [true|false]
* This setting controls whether or not the following keys will be automatically
  generated and indexed with events:
    date_hour, date_mday, date_minute, date_month, date_second, date_wday,
    date_year, date_zone, timestartpos, timeendpos, timestamp.
* These fields are never required, and may be turned off as desired.
* Defaults to true and is enabled for most data sources.
0 Karma
Highlighted

Re: Difference between (_time) internal field and (timestamp) default field

Hello @PowerPacked

I guess you are talking about TIMESTAMPFIELDS parameter in props.conf.
First of all TIMESTAMP
FIELD is a field in your data which will at the end contribute to _time. Like if you have some structured data where you have multiple time fields so you can specify which field should be _time. So we mention the TIMESTAMP field there.

For better understanding, refer this link:

https://docs.splunk.com/Documentation/Splunk/7.2.3/Admin/Propsconf

I hope this answers your question.

0 Karma
Highlighted

Re: Difference between (_time) internal field and (timestamp) default field

Builder
0 Karma
Highlighted

Re: Difference between (_time) internal field and (timestamp) default field

Esteemed Legend

The timestamp that is presented to you is the _time value adjusted by your personal Time zone setting in you user settings.

0 Karma
Highlighted

Re: Difference between (_time) internal field and (timestamp) default field

Builder

Thanks for the answer

If you go through the above doc in the question, it says

Splunk will extract default fields like host,timestamp,source etc. & Internal fields like time,raw, etc. for every event at index time

I can see _time, linecount,punct all other internal & default field value for every event
but i dont see timestamp field value for any event.

& i am trying to understand diff between _time and timestamp field value for any event.

Can you explain me this or provide sample image which shows _time and timestamp field value for any event.

0 Karma