Overview of event timestamping
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Overview of event timestamping
Look again at the sample event that we showed you in the About events topic.
172.26.34.223 - - [01/Jul/2005:12:05:27 -0700] "GET /trade/app?action=logout HTTP/1.1" 200 2953
Notice the time information in the event: [01/Jul/2005:12:05:27 -0700]. This is what is known as a timestamp. Splunk uses timestamps to correlate events by time, create the histogram in Splunk Web, and set time ranges for searches. Most events contain timestamps, and in those cases where an event doesn't contain timestamp information, Splunk attempts to assign a timestamp value to the event at index time.
Most events do not require additional handling of timestamp formatting, but there are situations that require the involvement of a Splunk administrator to help set things right. In the case of some sources and distributed deployments, for example, the Splunk admin may have to reconfigure timestamp recognition and formatting. Other timestamp-handling activities that the admin might undertake include:
- Tuning timestamp extraction for improved indexing performance
- Configuration of timestamp extraction for events with multiple timestamps
- Application of timestamp offsets (to correlate events from different timezones)
- Enabling Splunk to recognize localized (such as European) timestamp formats
For more information about these topics and more, see the "Timestamps" chapter of the Admin manual.
This documentation applies to the following versions of Splunk: 4.0 , 4.0.1 , 4.0.2 , 4.0.3 , 4.0.4 , 4.0.5 , 4.0.6 , 4.0.7 , 4.0.8 , 4.0.9 , 4.0.10 , 4.0.11 View the Article History for its revisions.