I cant find the difference between _time internal field and timestamp default field in docs anywhere, Can someone help me with this
or are they same ?
Here is the link to Splunk doc which shows them differently.
There is no "timestamp" default field. Are you able to supply more information about where you are seeing this field? It might be an indexed extraction or appearing because of some other reason.
_time is the time of the event in epoch time.
the other fields such as
date_minute etc are just partial versions there to be helpful. For example, if you wanted to find out the most poular hour of the day in your data you can do this:
SEARCH | stats count by date_hour . Now if you dont like these fields you can disable them by setting this in props.conf
ADD_EXTRA_TIME_FIELDS = [true|false] * This setting controls whether or not the following keys will be automatically generated and indexed with events: date_hour, date_mday, date_minute, date_month, date_second, date_wday, date_year, date_zone, timestartpos, timeendpos, timestamp. * These fields are never required, and may be turned off as desired. * Defaults to true and is enabled for most data sources.
I guess you are talking about TIMESTAMPFIELDS parameter in props.conf.
First of all TIMESTAMPFIELD is a field in your data which will at the end contribute to _time. Like if you have some structured data where you have multiple time fields so you can specify which field should be _time. So we mention the TIMESTAMP field there.
For better understanding, refer this link:
I hope this answers your question.
The timestamp that is presented to you is the
_time value adjusted by your personal
Time zone setting in you
Thanks for the answer
If you go through the above doc in the question, it says
Splunk will extract default fields like host,timestamp,source etc. & Internal fields like time,raw, etc. for every event at index time
I can see _time, linecount,punct all other internal & default field value for every event
but i dont see timestamp field value for any event.
& i am trying to understand diff between _time and timestamp field value for any event.
Can you explain me this or provide sample image which shows _time and timestamp field value for any event.