Getting Data In

Why is the indexed time not matching the time of the event?

abhayneilam
Contributor

Hi,

When I am giving the below search for 15th Aug 2015 :

index=_internal sourcetype=splunkd| reverse 

I am getting the below output

8/15/15 
1:14:00.381 AM  
08-14-2015 12:44:00.381 -0700 INFO  Metrics - group=pipeline, name=indexerpipe, processor=signing, cpu_seconds=0.000000, executes=176, cumulative_hits=1381281

But as per the event timestamp 08-14-2015 12:44:00.381, the event got generated on 14th Aug 2015, then why it is coming on 15th Aug 2015?

Please help me to get this mystery solved?

0 Karma

lloydd518
Path Finder

The time stamps you are seeing look correct.

The event happened at local time 14 Aug 12:44 (-7) which should be

14 Aug 19:44 GMT

When you log on to splunk with your user time zone setting ... You are also 5 hours 30 mins ahead of GMT... So your splunk server will show you a time stamp of when the event happened in your local time, so will show you 15 Aug 01:14

It's a matter of viewing logs across time zones.. Which somesoni2 was leading to.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

What timezone you've in your user profile?

0 Karma

abhayneilam
Contributor

i am in GMT +5:30

0 Karma

somesoni2
SplunkTrust
SplunkTrust

And if you see the timezone on the events is -0700, so Splunk is converting the time to User's current timezone

0 Karma

somesoni2
SplunkTrust
SplunkTrust

You can change your user profile time zone (Settings-> Access Controls -> Users -> Your user name ) to GMT-0700, you would see both times are same.

0 Karma

cramasta
Builder

And what timezone is your server set to?

0 Karma

abhayneilam
Contributor

My Server is set up to US/CANADA GMT -7:00

0 Karma

abhayneilam
Contributor

8/9/15
11:59:33.768 PM
08-09-2015 11:29:33.768 -0700 INFO Metrics - group=tpool, name=indexertpool, qsize=0, workers=2, qwork_units=0

See the above events... it got generated on 8th Aug 2015 , but it is showing for 9th Aug 2015 when selected from TimeRangePicker.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...