How Splunk recognizes timestamps
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
How Splunk recognizes timestamps
Accurate timestamps are crucial for correlating events by time, using Splunk's histogram and setting time ranges for searches. Splunk will make a best effort to assign an accurate timestamp. However, if Splunk cannot find a timestamp within a given source or event, the timestamp will be set to the current time (at indexing).
Timestamp precedence
When timestamping, Splunk sets a local variable for both the date and time. These variables are updated continuously throughout the indexing process, via the following steps:
- Splunk looks for a time or date in the event itself.
- If an event does not have a time or date, Splunk uses the timestamp from the previous event in the same source.
- If no events in a source have a time or date, Splunk will look in the source (or file) name.
- Splunk will use indexing time and date if no other timestamp is found.
If you would like to configure Splunk to set timestamps in a different manner, please read change how Splunk recognizes timestamps. You can also train Splunk to recognize timestamps or tune timestamping to increase Splunk's performance.
Configuration files for timestamps
- Timestamp format and recognition can be configured via props.conf.
- Before manually modifying any configuration file, please read about bundle files.
This documentation applies to the following versions of Splunk: 3.0 , 3.0.1 , 3.0.2 , 3.1 , 3.1.1 , 3.1.2 , 3.1.3 , 3.1.4 View the Article History for its revisions.