A log’s logical time can come from different places, depending on what data is available for the log. Your logs may have fields, such as timestamp or Time, that sound like the log’s logical time. However, Log Observer Connect determines the log’s logical time and assigns it to the field, _time. If your logs already contain the field _time, Log Observer Connect overwrites it.

Log Observer Connect applies the following two rules, in priority order, to determine each log’s logical time:

• The timestamp sent as part of the HTTP Event Collector (HEC) protocol as the event time

• The time when the log event hits Splunk Observability Cloud

First, Log Observer Connect checks for a matching event time processor, rule 1 in the preceding list. If there is a match, it is used as the logical time. Log Observer Connect prioritizes an event time processor rule first because it was a rule you created to determine your logs’ logical time.

If there is no match to an event time processor rule, Log Observer Connect checks for a timestamp sent as part of the HEC protocol as the event time. If there is a HEC protocol timestamp, it becomes that log’s logical time in Log Observer Connect.

If there is no HEC protocol timestamp, Log Observer Connect uses the time when the log event first hits Splunk Observability Cloud as the log’s logical time.