Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Question about "_time" field

zacksoft
Contributor
‎12-29-2017 02:10 AM

In Splunk I see this built in field "_time". I am able to use it in my stats and and it gives me some time.

My question is,
Does this field give the time when the event was generated by my corresponding "source server"?
OR
Does this field give me the time of when that event was indexed by the "Splunk server" ?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎12-29-2017 04:29 AM

HI @zacksoft,

Does this field give the time when the event was generated by my corresponding "source server"? : No Not directly.
OR
Does this field give me the time of when that event was indexed by the "Splunk server"?

Splunk software uses the following precedence rules to assign timestamps to events:

  • It looks for a time or date in the event itself using an explicit TIME_FORMAT, if provided. You configure the TIME_FORMAT attribute in props.conf.
  • If no TIME_FORMAT was configured for the data, Splunk software attempts to automatically identify a time or date in the event itself. It uses the source type of the event (which includes TIME_FORMAT information) to try to find the timestamp.
  • If an event has a time and date, but not a year, Splunk software determines the year, as described in How Splunk software determines timestamps with no year, and builds the timestamp from that.
  • If no events in a source have a date, Splunk software tries to find a date in the source name or file name. Time of day is not identified in filenames. (This requires that the events have a time, even though they don't have a date.)
  • For file sources, if no date can be identified in the file name, Splunk software uses the file modification time.
  • As a last resort, Splunk software sets the timestamp to the current system time when indexing each event.

Check this link:
http://docs.splunk.com/Documentation/SplunkCloud/6.6.3/Data/HowSplunkextractstimestamps

Thanks
Kamlesh

View solution in original post

Reply
Solved! Jump to solution
Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎12-29-2017 04:29 AM

HI @zacksoft,

Does this field give the time when the event was generated by my corresponding "source server"? : No Not directly.
OR
Does this field give me the time of when that event was indexed by the "Splunk server"?

Splunk software uses the following precedence rules to assign timestamps to events:

  • It looks for a time or date in the event itself using an explicit TIME_FORMAT, if provided. You configure the TIME_FORMAT attribute in props.conf.
  • If no TIME_FORMAT was configured for the data, Splunk software attempts to automatically identify a time or date in the event itself. It uses the source type of the event (which includes TIME_FORMAT information) to try to find the timestamp.
  • If an event has a time and date, but not a year, Splunk software determines the year, as described in How Splunk software determines timestamps with no year, and builds the timestamp from that.
  • If no events in a source have a date, Splunk software tries to find a date in the source name or file name. Time of day is not identified in filenames. (This requires that the events have a time, even though they don't have a date.)
  • For file sources, if no date can be identified in the file name, Splunk software uses the file modification time.
  • As a last resort, Splunk software sets the timestamp to the current system time when indexing each event.

Check this link:
http://docs.splunk.com/Documentation/SplunkCloud/6.6.3/Data/HowSplunkextractstimestamps

Thanks
Kamlesh

Reply
Solved! Jump to solution

zacksoft
Contributor
‎12-29-2017 04:34 AM

Thanks Kamlesh.

0 Karma
Reply
Solved! Jump to solution

nikita_p
Contributor
‎12-29-2017 03:49 AM

Hi @zacksoft,
The _time field contains an event's timestamp expressed in Unix time. This field is used to create the event timeline in Splunk Web.
You can also go through below splunk docs.
https://docs.splunk.com/Documentation/Splunk/7.0.1/Knowledge/Usedefaultfields

0 Karma
Reply
Solved! Jump to solution

nickhills
Ultra Champion
‎12-29-2017 02:12 AM

It is the time Splunk thinks the event occurred.
Not the time it was indexed.

If my comment helps, please give it a thumbs up!
0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

For the past four years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...

Data-Driven Success: Splunk & Financial Services

Splunk streamlines the process of extracting insights from large volumes of data. In this fast-paced world, ...