Solved: How is _time being populated?

ddrillic · ‎05-11-2016

I wonder how _time is being populated by default. Is it "simply" by assigning the first date/time field into _time?

somesoni2 · ‎05-11-2016

Population/calculation of _time, also known as timestamp recognition, is done during indexing of the data. This link should give you all the information you need.

http://docs.splunk.com/Documentation/Splunk/6.4.0/Data/HowSplunkextractstimestamps

View solution in original post

somesoni2 · ‎05-11-2016

Population/calculation of _time, also known as timestamp recognition, is done during indexing of the data. This link should give you all the information you need.

http://docs.splunk.com/Documentation/Splunk/6.4.0/Data/HowSplunkextractstimestamps

ddrillic · ‎05-11-2016

That's great. It says -

2 ---
If no TIME_FORMAT was configured for the data, Splunk Enterprise attempts to automatically identify a time or date in the event itself. It uses the source type of the event (which includes TIME_FORMAT information) to try to find the timestamp.

Does it mean that if there are multiple candidates in the event, it takes the first one it encounters, left to right?

somesoni2 · ‎05-11-2016

Not sure if my previous comment was saved, Yes that is correct.

But again it's always better to specify TIME_FORMAT and TIME_PREFIX (location of timestamp) to reduce additional data parsing load on Splunk.

ddrillic · ‎05-11-2016

Perfect - thank you!!!

somesoni2 · ‎05-11-2016

That is correct

How is _time being populated?

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio