Getting Data In

timestamp equals none

motobeats
Path Finder

I am trying to use the timestamp field to find the time diff between events. However, I see that the field equals none or is empty for all of my events for this particular log. Why would this field not be populated?

Tags (1)
0 Karma

lguinn2
Legend

All events in Splunk have a timestamp; the name of the field is _time. It is an internal field, which may or may not be derived directly from the data in the source log files. Internal fields do not appear in the fields sidebar; perhaps that is why you didn't know about it.

As Ayn points out, there are whole sections in the Splunk documentation that deal with configuring timestamps: Configure timestamp recognition is a good read.

In summary: Splunk looks first at the event and tries to find a timestamp. While you can configure timestamp recognition, Splunk is quite good at automatically interpreting timestamps if they are in a reasonable format. Splunk also can apply a time zone adjustment to the timestamp, if you have configured it.

If there is no timestamp in the event itself, Splunk looks for other ways of identifying the likely time of the event, such as the source file modification time.

If all else fails as Splunk is parsing the event, Splunk uses the clock time as the event timestamp.

Based on the above, Splunk calculates and stores the timestamp in _time.

Splunk does not change the actual format or content of the event; the _time field exists as metadata for every event. There is no "timestamp" column, unless you have a specific source that defines such a field.

Ayn
Legend

motobeats
Path Finder

lguinn - I get a table with event time and source. So that seems good. In looking at some other logs, I can't find the timestamp column populated their either. Does it matter? Is timestamp something Splunk creates or does it reference a field in the log it copies wholesale?

0 Karma

Ayn
Legend

Also the _time field always exists for events in Splunk's index. If you dont't see it you're doing something wrong.

Ayn
Legend

Shouldn't that be _time?

lguinn2
Legend

What do you get if you do the following?

source=thelogwithaproblem
| table _time, source

(Thanks @Ayn - I must have had a little mental vacation there)

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...