Splunk Search

Why do one of my sourcetypes have a time field and others have a _time field?

a212830
Champion

Hi,

I have two different sourcetypes, and I noticed that one of them always has a "time" field, and another has a _time field. Neither one are provided by the vendor, or are key-value pairs, so I'm wondering how/why Splunk creates these fields?

0 Karma

pgreer_splunk
Splunk Employee
Splunk Employee

_time is the Splunk reserved (internal) name for the event's time stamp. So when you look at events with your sourcetype that has a 'time' field in it, does it show 'time' as a field within the event panel in the search window? If so, then it is an extracted field (either during indexing or during search).

bmacias84
Champion

someone probably create a field alias for one the sourcetypes.

0 Karma

a212830
Champion

nope. It's all centrally managed and these are custom feeds.

0 Karma

bmacias84
Champion

The other option is that someone create a extra field extraction or a heavy forward/index is cooking the data adding the the extra field for one of your sources.

0 Karma

sloshburch
Splunk Employee
Splunk Employee

I'd use btool on the sourcetype and the source (potentially with wildcards) to find where that field conversion is going down. All data indexed in splunk should have a hidden _time field. Any other value is coming from config, not the product.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...