Documentation > Splunk > Admin Manual > How timestamps work

Admin Manual

 


Welcome
What to do first
Start Splunk
Meet Splunk Web and Splunk Apps
Before you configure
Add data and configure inputs
Indexing and event processing
Timestamps
Add and manage users
Manage indexes
Define alerts
Set up backups and retention policies
Configure data security
Set up forwarding and receiving
Deploy to other Splunk instances
Set up distributed search
Manage search jobs
Use Splunk's command line interface (CLI)
Configuration file reference
Troubleshooting

How timestamps work

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.

Contents

How timestamps work

Splunk uses timestamps to correlate events by time, create the timeline histogram in Splunk Web and to set time ranges for searches. Timestamps are assigned to events at index time. Most events get a timestamp value assigned to them based on information in the raw event data. If an event doesn't contain timestamp information, Splunk attempts to assign a timestamp value to the event as it's indexed. Splunk stores timestamp values in the _time field (in UTC time format).

Considerations when adding new data

If your data turns out to require timestamp configuration beyond what Splunk does automatically, you must re-index that data once you've configured its timestamp extraction. It's a good idea to test a new data input in a "sandbox" Splunk instance (or just a separate index) before adding it to your production Splunk instance in case you have to clean it out and re-index it a few times to get it just right.

Precedence rules for timestamp assignment

Splunk uses the following precedence to assign timestamps to events:

1. Look for a time or date in the event itself using an explicit TIME_FORMAT if provided.

Use positional timestamp extraction for events that have more than one timestamp value in the raw data, and also when the timestamp is not at the start of each event.

2. If no TIME_FORMAT is provided, or no match is found, attempt to automatically identify a time or date in the event itself.

Use positional timestamp extraction for events that have more than one timestamp value in the raw data.

3. If an event doesn't have a time or date, use the timestamp from the most recent previous event of the same source.

4. If no events in a source have a date, look in the source (or file) name for the date. (This means the events must have time-of-day to complete the timestamp).

5. For file sources, if either the date or time has not yet been identified, use the modification time on the file to derive the missing date and/or time.

6. If no other timestamp is found, set the timestamp to the current system time (the time that the event is written to the index).

Configure timestamps

Most events don't require any special timestamp handling. For some sources and distributed deployments, you may have to configure timestamp formatting to extract timestamps from events. Configure Splunk's timestamp extraction processor by editing props.conf. For a complete discussion of the timestamp configurations available in props.conf, see this overview.

You can also configure Splunk's timestamp extraction processor to:

Finally, train Splunk to recognize new timestamp formats.

Retrieved from "http://docs.splunk.com/Documentation/Splunk/4.0.4/Admin/HowSplunkExtractsTimestamps"

This documentation applies to the following versions of Splunk: 4.0 , 4.0.1 , 4.0.2 , 4.0.3 , 4.0.4 , 4.0.5 , 4.0.6 , 4.0.7 , 4.0.8 , 4.0.9 , 4.0.10 , 4.0.11 View the Article History for its revisions.


You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.