Docs » Where does a log’s logical time come from?

Where does a log’s logical time come from? 🔗

A log’s logical time can come from different places, depending on what data is available for the log. Your logs may have fields, such as timestamp or Time, that sound like the log’s logical time. However, Log Observer determines the log’s logical time and assigns it to the field, _time. If your logs already contain the field _time, Log Observer overwrites it.

Log Observer applies the following three rules, in priority order, to determine each log’s logical time:

  1. The time matched and parsed by any rule you created using an Event Time Processor, a log processing rule (See Create an Event Time Processor for more information.)

  2. The timestamp sent as part of the HTTP Event Collector (HEC) protocol as the event time

  3. The time when the log event hits Splunk Observability Cloud

First, Log Observer checks for a matching Event Time Processor, rule 1 in the preceding list. If there is a match, it is used as the logical time. Log Observer prioritizes an Event Time Processor rule first because it was a rule you created to determine your logs’ logical time.

If there is no match to an Event Time Processor rule, Log Observer checks for a timestamp sent as part of the HEC protocol as the event time. If there is a HEC protocol timestamp, it becomes that log’s logical time in Log Observer.

If there is no HEC protocol timestamp, Log Observer uses the time when the log event first hits Splunk Observability Cloud as the log’s logical time.