Identify the time field in a Snowflake dataset

Configure time settings for your Snowflake dataset, to use time-based fields and functions in federated searches.

If your Snowflake dataset contains a time field and you want to run searches over the dataset that involve time-based filters and functions, you must identify this time field in the dataset definition. Splunk software cannot identify the time field of a federated dataset without your help.

When you specify the time field, you must also supply the format for the time field, and identify a UNIX time field value, such as _time, that Splunk software can convert into numeric UNIX format at search time.

Note: You do not need to provide a Time field value. This field is superfluous and will be removed in an upcoming release.

For more information about these time settings, see the following definitions.

Time field

Enter the name of the field that acts as an event timestamp in the Snowflake dataset.

The time field can contain only lowercase letters, numbers, underscores, and dot characters (.).

Surround time fields that contain dot characters, but which are not nested fields, with single quote characters.

Time format

Provide a time format variable or custom time format variable string that matches the Time field.

You can set the following values for Time format:

  • Set %s when the Time field has UNIX time values with the string data type.
  • Set %UT when the Time field has UNIX time values with the numeric data type.
  • Set %ST when the Time field has values with the SQL timestamp data type.
  • Set a custom string of time format variables when the Time field has values that follow a specific string time format. For example, if your time field values look like 04-29-2023 11:45:22 PM, your Time format value would be %m-%d-%Y %I:%M:%S %p. For more information, see Using time variables in the SPL2 Search Manual.
Note: %UT and %ST are not among the standard set of Splunk platform time format variables. Use them only in the context of Federated Search.

You can optionally append the %Q time format variable to time format variables to capture subsecond timestamps, such as milliseconds (%3Q), microseconds (%6Q), and nanoseconds (%9Q). For example, for a time field in numeric-typed UNIX time format with a nanosecond component, use %UT.%9Q, or %UT%9Q if you do not need to separate the subsecond component from the UNIX time value with a dot character (.).

UNIX time field

If your dataset definition requires time settings, UNIX time field provides an alias for the Time field that Splunk software converts into numeric UNIX time format at search time. Insert the UNIX time field into federated searches that require numeric UNIX time field values, or when you want to see your time field in numeric UNIX time format in the search results.

UNIX time field defaults to _time. In Splunk Web, the values of _time always display in human-readable format, unless you are aggregating on the _time field. For example, (avg)_time returns values in numeric UNIX time format.

Note: If _time already exists as a field name in your dataset schema, give the UNIX time field a value other than _time.