I am trying to use the timestamp field to find the time diff between events. However, I see that the field equals none or is empty for all of my events for this particular log. Why would this field not be populated?
All events in Splunk have a timestamp; the name of the field is _time
. It is an internal field, which may or may not be derived directly from the data in the source log files. Internal fields do not appear in the fields sidebar; perhaps that is why you didn't know about it.
As Ayn points out, there are whole sections in the Splunk documentation that deal with configuring timestamps: Configure timestamp recognition is a good read.
In summary: Splunk looks first at the event and tries to find a timestamp. While you can configure timestamp recognition, Splunk is quite good at automatically interpreting timestamps if they are in a reasonable format. Splunk also can apply a time zone adjustment to the timestamp, if you have configured it.
If there is no timestamp in the event itself, Splunk looks for other ways of identifying the likely time of the event, such as the source file modification time.
If all else fails as Splunk is parsing the event, Splunk uses the clock time as the event timestamp.
Based on the above, Splunk calculates and stores the timestamp in _time
.
Splunk does not change the actual format or content of the event; the _time
field exists as metadata for every event. There is no "timestamp" column, unless you have a specific source that defines such a field.
How Splunk deals with timestamps - http://docs.splunk.com/Documentation/Splunk/5.0/Data/Configuretimestamprecognition
lguinn - I get a table with event time and source. So that seems good. In looking at some other logs, I can't find the timestamp column populated their either. Does it matter? Is timestamp something Splunk creates or does it reference a field in the log it copies wholesale?
Also the _time field always exists for events in Splunk's index. If you dont't see it you're doing something wrong.
Shouldn't that be _time?
What do you get if you do the following?
source=thelogwithaproblem
| table _time, source
(Thanks @Ayn - I must have had a little mental vacation there)