Identify the dataset time field

Configure time settings for your Amazon S3 dataset to use time-based fields and functions in federated searches.

If your dataset contains a time field and you want to run searches over the dataset that involve time-based filters and functions, you must identify this time field in the dataset definition, because Splunk software cannot identify this time field for you.

When you specify the time field, you must also supply the format for the time field, and identify a Unix time field value, such as _time, that Splunk software can convert into numeric UNIX time format at search time.

For more information about these time settings, see the following definitions.

Time field

Enter the name of the field that acts as an event timestamp in the Amazon S3 dataset.

The time field can contain only lowercase letters, numbers, underscores, and dot characters (.).

Surround time fields that contain dot characters, but which are not nested fields, with single quote characters.

Time format

Provide a time format variable or custom time format variable string that matches the Time field.

You can set the following values for Time format:

  • Set %s when the Time field has UNIX time values with the string data type.
  • Set %UT when the Time field has UNIX time values with the numeric data type.
  • Set %ST when the Time field has values with the SQL timestamp data type.
  • Set a custom string of time format variables when the Time field has values that follow a specific string time format. For more information, see Using time variables in the SPL2 Search Manual.
Note: %UT and %ST are not among the standard set of Splunk platform time format variables. Use them only in the context of Federated Search for Amazon S3.

You can optionally append the %Q time format variable to capture subsecond timestamps, such as milliseconds (%3Q), microseconds (%6Q), and nanoseconds (%9Q). For example, for a time field in numeric-typed UNIX time format with a nanosecond component, use %UT.%9Q, or %UT%9Q if you do not need a dot character separator.

Unix time field

The Unix time field provides an alias for the Time field that Splunk software converts into numeric UNIX time format at search time. Insert the Unix time field into federated searches that require numeric UNIX time field values, or when you want to see your time field in numeric UNIX time format in the search results.

The Unix time field defaults to _time. In Splunk Web, the values of _time always display in human-readable format, unless you are aggregating on the _time field.

Note: If _time already exists as a field name in your dataset, give the Unix time field a value other than _time.