Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Question about "_time" field

zacksoft
Contributor
‎12-29-2017 02:10 AM

In Splunk I see this built in field "_time". I am able to use it in my stats and and it gives me some time.

My question is,
Does this field give the time when the event was generated by my corresponding "source server"?
OR
Does this field give me the time of when that event was indexed by the "Splunk server" ?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎12-29-2017 04:29 AM

HI @zacksoft,

Does this field give the time when the event was generated by my corresponding "source server"? : No Not directly.
OR
Does this field give me the time of when that event was indexed by the "Splunk server"?

Splunk software uses the following precedence rules to assign timestamps to events:

  • It looks for a time or date in the event itself using an explicit TIME_FORMAT, if provided. You configure the TIME_FORMAT attribute in props.conf.
  • If no TIME_FORMAT was configured for the data, Splunk software attempts to automatically identify a time or date in the event itself. It uses the source type of the event (which includes TIME_FORMAT information) to try to find the timestamp.
  • If an event has a time and date, but not a year, Splunk software determines the year, as described in How Splunk software determines timestamps with no year, and builds the timestamp from that.
  • If no events in a source have a date, Splunk software tries to find a date in the source name or file name. Time of day is not identified in filenames. (This requires that the events have a time, even though they don't have a date.)
  • For file sources, if no date can be identified in the file name, Splunk software uses the file modification time.
  • As a last resort, Splunk software sets the timestamp to the current system time when indexing each event.

Check this link:
http://docs.splunk.com/Documentation/SplunkCloud/6.6.3/Data/HowSplunkextractstimestamps

Thanks
Kamlesh

View solution in original post

Reply
Solved! Jump to solution
Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎12-29-2017 04:29 AM

HI @zacksoft,

Does this field give the time when the event was generated by my corresponding "source server"? : No Not directly.
OR
Does this field give me the time of when that event was indexed by the "Splunk server"?

Splunk software uses the following precedence rules to assign timestamps to events:

  • It looks for a time or date in the event itself using an explicit TIME_FORMAT, if provided. You configure the TIME_FORMAT attribute in props.conf.
  • If no TIME_FORMAT was configured for the data, Splunk software attempts to automatically identify a time or date in the event itself. It uses the source type of the event (which includes TIME_FORMAT information) to try to find the timestamp.
  • If an event has a time and date, but not a year, Splunk software determines the year, as described in How Splunk software determines timestamps with no year, and builds the timestamp from that.
  • If no events in a source have a date, Splunk software tries to find a date in the source name or file name. Time of day is not identified in filenames. (This requires that the events have a time, even though they don't have a date.)
  • For file sources, if no date can be identified in the file name, Splunk software uses the file modification time.
  • As a last resort, Splunk software sets the timestamp to the current system time when indexing each event.

Check this link:
http://docs.splunk.com/Documentation/SplunkCloud/6.6.3/Data/HowSplunkextractstimestamps

Thanks
Kamlesh

Reply
Solved! Jump to solution

zacksoft
Contributor
‎12-29-2017 04:34 AM

Thanks Kamlesh.

0 Karma
Reply
Solved! Jump to solution

nikita_p
Contributor
‎12-29-2017 03:49 AM

Hi @zacksoft,
The _time field contains an event's timestamp expressed in Unix time. This field is used to create the event timeline in Splunk Web.
You can also go through below splunk docs.
https://docs.splunk.com/Documentation/Splunk/7.0.1/Knowledge/Usedefaultfields

0 Karma
Reply
Solved! Jump to solution

nickhills
Ultra Champion
‎12-29-2017 02:12 AM

It is the time Splunk thinks the event occurred.
Not the time it was indexed.

If my comment helps, please give it a thumbs up!
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Take Action Automatically on Splunk Alerts with Red Hat Ansible Automation Platform

 Are you ready to revolutionize your IT operations? As digital transformation accelerates, the demand for ...

Calling All Security Pros: Ready to Race Through Boston?

Hey Splunkers, .conf25 is heading to Boston and we’re kicking things off with something bold, competitive, and ...

Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...

Financial services organizations face an impossible equation: maintain 99.9% uptime for mission-critical ...