_time and the timestamp in the row data are having...

ethanthomas · ‎03-08-2021

I could see there is a slight difference ( in seconds - from 1 to 10) between the _time and the timestamp field in the row data. Is this expected or this should be exacty matching ? Please note that the difference is only interms of seconds .

Is there someway to fix this issue ? What could be the reason the _time is not showing exact time as in the timestamp ?

scelikok · ‎03-22-2021

Hi @ethanthomas,

If Splunk uses your timestamp field, it will be exactly same regardless of any latency/delay on ingestion. But it seems Splunk cannot recognize timestamp in the first 128 characters and putting its current time.

Can you please post a sample full event?

If this reply helps you an upvote and "Accept as Solution" is appreciated.

scelikok · ‎03-08-2021

Hi @ethanthomas,

It seems Splunk is not using your timestamp field as _time during ingestion. You should check your props.conf on indexers or heavy forwarder. Be sure following are set and correct;

TIME_PREFIX

TIME_FORMAT

If this reply helps you an upvote and "Accept as Solution" is appreciated.

ethanthomas · ‎03-22-2021

if timestamp is not picking , how exactly the _time is getting the correct time by difference only in seconds ? in the raw data , ia m not seeing any other time parametes .

_time and the timestamp in the row data are having slight variation

field extraction

stats

timechart

tstats

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!