How timestamp extraction works
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
How timestamp extraction works
Splunk uses timestamps to correlate events by time, create the histogram in Splunk Web and to set time ranges for searches. Timestamps are assigned to events at index time. Most events get a timestamp value assigned to them based on information in the raw event data. If an event doesn't contain timestamp information, Splunk attempts to assign a timestamp value to the event as it's indexed. Splunk stores timestamp values in the _time field (in UTC time format).
Precedence rules for timestamp assignment
Splunk uses the following precedence to assign timestamps to events:
1. Look for a time or date in the event itself (use positional timestamp extraction for events that have more than one timestamp value in the raw data).
2. If event doesn't have a time or date, use the timestamp from the most recent previous event of the same source.
3. If no events in a source have a time or date, look in the source (or file) name.
4. If no other timestamp is found, set the timestamp to the current system time (at the event's index time).
Configure timestamps
Most events don't require any special timestamp handling. For some sources and distributed deployments, you may have to configure timestamp formatting to extract timestamps from events. Configure Splunk's timestamp extraction processor by editing props.conf.
Configure Splunk's timestamp extraction processor to:
- recognize different timestamp formats based on host, source, or sourcetype.
- apply timezone offsets to different hosts, sources, or sourcetypes.
- recognize European date format timestamps.
- pull the correct timestamp in events with more than one timestamp.
- improve indexing performance.
- learn new timestamp formats.
This documentation applies to the following versions of Splunk: 3.2.3 , 3.2.4 , 3.2.5 , 3.2.6 View the Article History for its revisions.