Splunk Search

Splunk time and event timestamp does not match

ppanchal
Path Finder

alt text

Splunk time and the event time does not match. There is a 5 hour difference.
How to get both the timestamps under the same timezone?

Please assist.

Tags (1)
0 Karma

DalJeanis
SplunkTrust
SplunkTrust

Assuming your user is in Central US, then those timestamps represent the same time. The event occurred when it was 1:40 PM in London, and 8:40 AM in Chicago.

If the event time is NOT originally in UT/GMT, then it is reporting incorrectly; the Z in the event's timestamp is incorrect. You can correct that with transforms, assuming that the source is consistent about how much off it is reporting the time.

0 Karma

adonio
Ultra Champion

hello there:
read here:
https://docs.splunk.com/Documentation/Splunk/6.6.1/Data/Applytimezoneoffsetstotimestamps
it explains it better than i do
hop it helps

somesoni2
SplunkTrust
SplunkTrust

Your raw event has Z in the place where you specify timezone which indicates Splunk that the login TZ is GMT. Your Splunk server/user timezone is CDT so _time is adjusted to show with current timezone.

0 Karma

niketn
Legend

One of the options to correct the timezone display for specific user is to navigate to logged user's Account Menu and choose Edit Settings Or Account Settings options and then change the Time zone to set it Eastern Time (US & Canada) to account for 5 hours difference.

Following has the screenshot of where the Account Menu is location in Splunk Web: http://docs.splunk.com/Documentation/Splunk/latest/Search/NavigatingSplunkWeb#Account_menu

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

ppanchal
Path Finder

Tried this option but did not work at all, do I need to restart splunk after the change?
Also, do I need to make these changes on the search head or the indexer?

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Try changing your user TZ to GMT (same as what raw data is logged with). That way they'll both show same timestamp. No restart is required and it should be done on Search Head.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...