Splunk Search

How to avoid changing timezone to get proper results?

splunkuseradmin
Path Finder

Hi all,
Generating some calls logs from different timezones America , ASIA, UK and so on.
So I am running a search which gives me wrong results when I keep timezone to my local (GMT-08:00) Pacific Time (US & Canada) and when I change the timezone to there dependent timezones from preferences then I get proper results.

My latest event time log from is: 2019-07-24T13:03:58.000-07:00

My current time : in (GMT-08:00) Pacific Time (US & Canada) = Wed 1:36 pm now

How do I solve this problem?
Any help please.

0 Karma
1 Solution

sideview
SplunkTrust
SplunkTrust

Since you're asking about CallManager CDR data, it's very important to realize that the time in that data, is extracted from an epochtime value.

This means there is no TZ info used or needed at all during index time. Splunk stores time as epochtime (number of seconds since the epoch), and Splunk sees the epochtime values in the file (see TIME_PREFIX and TIME_FORMAT) so all is well. It just uses the epochtime listed in the raw csv, and no matter what timezone splunk thinks it in, it'll index the data the same way.

I think what you're seeing in terms of right results and wrong results, is that
-- the time picker itself, when you pick "last 7 days". doesn't just do exactly 7 days ago to now, it does "-7d@d" to now. Note the "@d". This means "round down to the nearest day, using current TZ preference)". So it will get different results in different time ranges because you're telling it to search a longer or shorter timerange.

However also it can be confusing that some parts of the Splunk search language also incorporate what the current timezone is.
| eval hour_of_day=strftime(_time,"%H")
is a good example. So in some cases with complex reports, there can be calculations internal to the SPL that will work out differently depending on timezone.

hth

View solution in original post

0 Karma

woodcock
Esteemed Legend

I find it amusing that your original subject/title says exactly what is my answer. That is exactly what your personal timezone setting does. That is the whole point. It is unclear why you posted this.

0 Karma

sideview
SplunkTrust
SplunkTrust

Since you're asking about CallManager CDR data, it's very important to realize that the time in that data, is extracted from an epochtime value.

This means there is no TZ info used or needed at all during index time. Splunk stores time as epochtime (number of seconds since the epoch), and Splunk sees the epochtime values in the file (see TIME_PREFIX and TIME_FORMAT) so all is well. It just uses the epochtime listed in the raw csv, and no matter what timezone splunk thinks it in, it'll index the data the same way.

I think what you're seeing in terms of right results and wrong results, is that
-- the time picker itself, when you pick "last 7 days". doesn't just do exactly 7 days ago to now, it does "-7d@d" to now. Note the "@d". This means "round down to the nearest day, using current TZ preference)". So it will get different results in different time ranges because you're telling it to search a longer or shorter timerange.

However also it can be confusing that some parts of the Splunk search language also incorporate what the current timezone is.
| eval hour_of_day=strftime(_time,"%H")
is a good example. So in some cases with complex reports, there can be calculations internal to the SPL that will work out differently depending on timezone.

hth

0 Karma

adonio
Ultra Champion

what is your desired outcome?
you can always use the _indextime field if data arrives in a timely fashion

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...