Hi all,
Generating some calls logs from different timezones America , ASIA, UK and so on.
So I am running a search which gives me wrong results when I keep timezone to my local (GMT-08:00) Pacific Time (US & Canada) and when I change the timezone to there dependent timezones from preferences then I get proper results.
My latest event time log from is: 2019-07-24T13:03:58.000-07:00
My current time : in (GMT-08:00) Pacific Time (US & Canada) = Wed 1:36 pm now
How do I solve this problem?
Any help please.
Since you're asking about CallManager CDR data, it's very important to realize that the time in that data, is extracted from an epochtime value.
This means there is no TZ info used or needed at all during index time. Splunk stores time as epochtime (number of seconds since the epoch), and Splunk sees the epochtime values in the file (see TIME_PREFIX and TIME_FORMAT) so all is well. It just uses the epochtime listed in the raw csv, and no matter what timezone splunk thinks it in, it'll index the data the same way.
I think what you're seeing in terms of right results and wrong results, is that
-- the time picker itself, when you pick "last 7 days". doesn't just do exactly 7 days ago to now, it does "-7d@d" to now. Note the "@d". This means "round down to the nearest day, using current TZ preference)". So it will get different results in different time ranges because you're telling it to search a longer or shorter timerange.
However also it can be confusing that some parts of the Splunk search language also incorporate what the current timezone is.
| eval hour_of_day=strftime(_time,"%H")
is a good example. So in some cases with complex reports, there can be calculations internal to the SPL that will work out differently depending on timezone.
hth
I find it amusing that your original subject/title says exactly what is my answer. That is exactly what your personal timezone
setting does. That is the whole point. It is unclear why you posted this.
Since you're asking about CallManager CDR data, it's very important to realize that the time in that data, is extracted from an epochtime value.
This means there is no TZ info used or needed at all during index time. Splunk stores time as epochtime (number of seconds since the epoch), and Splunk sees the epochtime values in the file (see TIME_PREFIX and TIME_FORMAT) so all is well. It just uses the epochtime listed in the raw csv, and no matter what timezone splunk thinks it in, it'll index the data the same way.
I think what you're seeing in terms of right results and wrong results, is that
-- the time picker itself, when you pick "last 7 days". doesn't just do exactly 7 days ago to now, it does "-7d@d" to now. Note the "@d". This means "round down to the nearest day, using current TZ preference)". So it will get different results in different time ranges because you're telling it to search a longer or shorter timerange.
However also it can be confusing that some parts of the Splunk search language also incorporate what the current timezone is.
| eval hour_of_day=strftime(_time,"%H")
is a good example. So in some cases with complex reports, there can be calculations internal to the SPL that will work out differently depending on timezone.
hth
what is your desired outcome?
you can always use the _indextime
field if data arrives in a timely fashion