Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How is _time being populated?

ddrillic
Ultra Champion
‎05-11-2016 06:55 AM

I wonder how _time is being populated by default. Is it "simply" by assigning the first date/time field into _time?

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎05-11-2016 07:09 AM

Population/calculation of _time, also known as timestamp recognition, is done during indexing of the data. This link should give you all the information you need.

http://docs.splunk.com/Documentation/Splunk/6.4.0/Data/HowSplunkextractstimestamps

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎05-11-2016 07:09 AM

Population/calculation of _time, also known as timestamp recognition, is done during indexing of the data. This link should give you all the information you need.

http://docs.splunk.com/Documentation/Splunk/6.4.0/Data/HowSplunkextractstimestamps

Reply
Solved! Jump to solution

ddrillic
Ultra Champion
‎05-11-2016 08:20 AM

That's great. It says -

2 ---
If no TIME_FORMAT was configured for the data, Splunk Enterprise attempts to automatically identify a time or date in the event itself. It uses the source type of the event (which includes TIME_FORMAT information) to try to find the timestamp.

Does it mean that if there are multiple candidates in the event, it takes the first one it encounters, left to right?

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎05-11-2016 09:02 AM

Not sure if my previous comment was saved, Yes that is correct.

But again it's always better to specify TIME_FORMAT and TIME_PREFIX (location of timestamp) to reduce additional data parsing load on Splunk.

0 Karma
Reply
Solved! Jump to solution

ddrillic
Ultra Champion
‎05-11-2016 10:59 AM

Perfect - thank you!!!

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎05-11-2016 09:02 AM

That is correct

0 Karma
Reply
Get Updates on the Splunk Community!

Get Early Access to AI Playbook Authoring: Apply for the Alpha Private Preview ...

Passionate about security automation? Apply now to our AI Playbook Authoring Alpha private preview ...

Reduce and Transform Your Firewall Data with Splunk Data Management

Managing high-volume firewall data has always been a challenge. Noisy events and verbose traffic logs often ...

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...