Skip to main content
Solved

Search LHE Timestamp Handling With Existing Event Timestamps In Stream Processing

  • April 29, 2026
  • 6 replies
  • 1 view
S
This message originated from Cribl Community Slack.
Click here to view the original link.

i have some data that is getting processed in stream and I want to send it to search LHE. Will search take the timestamp that has already been created for the event within the pipeline, or do I need to create an additional timestamp config via datatypes?

Best answer by David Cavuto

Concur. If _time exists, LHE will honor it. Just make sure it's accurate and in UTC timezone (since it's stored as an epoch time, it should always be UTC). It's one of the fields you can override when sending structured data to LHE (eg JSON from Stream). https://docs.cribl.io/search/shape-data#overrides Note: Timezone adjustments post-hoc is less fun, so you're better off making any modifications to _time in Stream before you send.

6 replies

J
  • Jeremiahjrross
  • Participating Frequently
  • April 29, 2026
@user does _time accurately reflect the timestamp?
S
yes
J
  • Jeremiahjrross
  • Participating Frequently
  • April 29, 2026
then Search will use _time by default.
J
  • Jeremiahjrross
  • Participating Frequently
  • April 29, 2026
If _time were missing you could use the datatype timestamp options to populate it. Since you are sending from Stream, however, you would already have a _time field.
D
  • David Cavuto
  • Employee
  • Answer
  • April 29, 2026
Concur. If _time exists, LHE will honor it. Just make sure it's accurate and in UTC timezone (since it's stored as an epoch time, it should always be UTC). It's one of the fields you can override when sending structured data to LHE (eg JSON from Stream). https://docs.cribl.io/search/shape-data#overrides Note: Timezone adjustments post-hoc is less fun, so you're better off making any modifications to _time in Stream before you send.
S
Thanks
Terms & ConditionsAccessibility statement