Re: _time and the timestamp in the row data are ha...

ethanthomas · ‎03-08-2021

I could see there is a slight difference ( in seconds - from 1 to 10) between the _time and the timestamp field in the row data. Is this expected or this should be exacty matching ? Please note that the difference is only interms of seconds .

Is there someway to fix this issue ? What could be the reason the _time is not showing exact time as in the timestamp ?

scelikok · ‎03-22-2021

Hi @ethanthomas,

If Splunk uses your timestamp field, it will be exactly same regardless of any latency/delay on ingestion. But it seems Splunk cannot recognize timestamp in the first 128 characters and putting its current time.

Can you please post a sample full event?

If this reply helps you an upvote and "Accept as Solution" is appreciated.

scelikok · ‎03-08-2021

Hi @ethanthomas,

It seems Splunk is not using your timestamp field as _time during ingestion. You should check your props.conf on indexers or heavy forwarder. Be sure following are set and correct;

TIME_PREFIX

TIME_FORMAT

If this reply helps you an upvote and "Accept as Solution" is appreciated.

ethanthomas · ‎03-22-2021

if timestamp is not picking , how exactly the _time is getting the correct time by difference only in seconds ? in the raw data , ia m not seeing any other time parametes .

_time and the timestamp in the row data are having slight variation

field extraction

stats

timechart

tstats

.conf24 | Day 0

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

Troubleshooting the OpenTelemetry Collector