Topics

| pdf version

How Splunk Works

Getting Started

Configuring a Splunk Deployment

Data Inputs

Hosts

Source Types

Timestamp Recognition

Events

Event Types

Meta Events

Fields

Segmentation

Saved Searches and Alerts

Authentication

Data Distribution

Granular Access Control

Distributed Search

Deployment Server

Index Management

Bundles

SplunkBase

Performance Tuning

Routine Maintenance

How-To

Troubleshooting

Reference


Toolbox

Splunk > The IT Search Company

  • Search and navigate IT data from applications, servers and network devices in real-time.
  • Download Splunk

Localized Splunk documentation

Looking for Splunk documentation in other languages?

Documentation | Discussion | View source | History

How Splunk recognizes timestamps

This documentation does not apply to the most recent version of Splunk.

This documentation applies to the following versions of Splunk: 3.0 , 3.0.1 , 3.0.2 , 3.1 , 3.1.1 , 3.1.2 , 3.1.3 , 3.1.4

How Splunk recognizes timestamps

Accurate timestamps are crucial for correlating events by time, using Splunk's histogram and setting time ranges for searches. Splunk will make a best effort to assign an accurate timestamp. However, if Splunk cannot find a timestamp within a given source or event, the timestamp will be set to the current time (at indexing).


Timestamp precedence

When timestamping, Splunk sets a local variable for both the date and time. These variables are updated continuously throughout the indexing process, via the following steps:


  1. Splunk looks for a time or date in the event itself.
  1. If an event does not have a time or date, Splunk uses the timestamp from the previous event in the same source.
  1. If no events in a source have a time or date, Splunk will look in the source (or file) name.
  1. Splunk will use indexing time and date if no other timestamp is found.

If you would like to configure Splunk to set timestamps in a different manner, please read change how Splunk recognizes timestamps. You can also train Splunk to recognize timestamps or tune timestamping to increase Splunk's performance.


Configuration files for timestamps

  • Timestamp format and recognition can be configured via props.conf.
  • Before manually modifying any configuration file, please read about bundle files.
Retrieved from "http://www.splunk.com/base/Documentation/3.0/Admin/HowSplunkRecognizesTimestamps"
Revision: 207 | Contact | Privacy Policy | Terms of Use | Community content licensed under Creative Commons

Copyright © 2005-2009 Splunk Inc. All rights reserved.