How timestamp assignment works
Splunk Enterprise assigns timestamps to events at index time. It usually assigns timestamp values automatically, using information in the raw event data. If an event doesn't contain an explicit timestamp, Splunk Enterprise attempts to assign a timestamp value through other means. For some data, it might need your help to tell it how to recognize the timestamps.
Splunk Enterprise stores timestamp values in the
_time field (in UTC time format).
How Splunk Enterprise assigns timestamps
Splunk Enterprise uses the following precedence rules to assign timestamps to events:
1. Splunk looks for a time or date in the event itself using an explicit
TIME_FORMAT, if provided. You configure the
TIME_FORMAT attribute in
2. If no
TIME_FORMAT was configured for the data, Splunk Enterprise attempts to automatically identify a time or date in the event itself. It uses the source type of the event (which includes
TIME_FORMAT information) to try to find the timestamp.
3. If an event doesn't have a time or date, Splunk Enterprise uses the timestamp from the most recent previous event of the same source.
4. For file sources, if no date can be identified in the file name, Splunk Enterprise uses the file's modification time.
5. As a last resort, Splunk Enterprise sets the timestamp to the current system time when indexing each event.
Note: Splunk Enterprise can only extract dates from a source, not times. If you need to extract a time from a source, use a transform.
Most events don't require any special timestamp handling. Splunk Enterprise automatically recognizes and extracts their timestamps. However, for some sources and distributed deployments, you might need to configure how Splunk Enterprise extracts timestamps, so that they format properly.
There are two ways to configure timestamp extraction:
- Use the data preview feature to interactively adjust timestamps on sample data. Once you're happy with the results, you can save the changes to a new source type and then apply that source type to your data inputs. See the chapter "Preview your data".
You can also configure Splunk's timestamp extraction processor to:
- Apply time zone offsets.
- Pull the correct timestamp from events with more than one timestamp.
- Improve indexing performance.
Considerations when adding data from new inputs
If you index some data from a new input and then discover that you need to adjust the timestamp extraction process, you will need to re-index that data once you've made the configuration changes. Therefore, it's a good idea to preview your data, as described in the chapter "Preview your data".
Alternatively, you can test new data inputs in a test instance of Splunk Enterprise (or just in a separate index on the production Splunk instance) before adding data to your production instance. That way, if you need to make adjustments, you can easily clean out the data and re-index it until you get it right.
Configure timestamp recognition
This documentation applies to the following versions of Splunk® Enterprise: 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.0.15, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.1.14