Solved: What is the difference between now() and _time?

smanojkumar · ‎09-08-2022

What is the difference between now() and _time?

gcusello · ‎09-08-2022

Hi @smanojkumar,

_time is the timestamp of each event and it's usually extracted from the raw event.

now() is a function, it's usully used in eval statements, that returns the date and time when the search runs.

So they give you different information in the same format (epochtime).

Ciao.

Giuseppe

View solution in original post

ITWhisperer · ‎09-08-2022

now() is in seconds, but there is a function time() which is in my environment goes to microseconds - _time as used by makeresults is usually the same as now()

| makeresults
| eval now=now()
| eval time=time()
| fieldformat now=strftime(now,"%F %T.%9N")
| fieldformat time=strftime(time,"%F %T.%9N")
| fieldformat _time=strftime(_time,"%F %T.%9N")

gcusello · ‎09-08-2022

Hi @smanojkumar,

_time is the timestamp of each event and it's usually extracted from the raw event.

now() is a function, it's usully used in eval statements, that returns the date and time when the search runs.

So they give you different information in the same format (epochtime).

Ciao.

Giuseppe

What is the difference between now() and _time?

timechart

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

Monitoring Amazon Elastic Kubernetes Service (EKS)