I have two different sourcetypes, and I noticed that one of them always has a "time" field, and another has a _time field. Neither one are provided by the vendor, or are key-value pairs, so I'm wondering how/why Splunk creates these fields?
_time is the Splunk reserved (internal) name for the event's time stamp. So when you look at events with your sourcetype that has a 'time' field in it, does it show 'time' as a field within the event panel in the search window? If so, then it is an extracted field (either during indexing or during search).
The other option is that someone create a extra field extraction or a heavy forward/index is cooking the data adding the the extra field for one of your sources.
I'd use btool on the sourcetype and the source (potentially with wildcards) to find where that field conversion is going down. All data indexed in splunk should have a hidden _time field. Any other value is coming from config, not the product.
