Population/calculation of _time, also known as timestamp recognition, is done during indexing of the data. This link should give you all the information you need.
http://docs.splunk.com/Documentation/Splunk/6.4.0/Data/HowSplunkextractstimestamps
Population/calculation of _time, also known as timestamp recognition, is done during indexing of the data. This link should give you all the information you need.
http://docs.splunk.com/Documentation/Splunk/6.4.0/Data/HowSplunkextractstimestamps
That's great. It says -
2 ---
If no TIME_FORMAT was configured for the data, Splunk Enterprise attempts to automatically identify a time or date in the event itself. It uses the source type of the event (which includes TIME_FORMAT information) to try to find the timestamp.
Does it mean that if there are multiple candidates in the event, it takes the first one it encounters, left to right?
Not sure if my previous comment was saved, Yes that is correct.
But again it's always better to specify TIME_FORMAT and TIME_PREFIX (location of timestamp) to reduce additional data parsing load on Splunk.
Perfect - thank you!!!
That is correct