Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk time and event timestamp does not match

ppanchal
Path Finder
‎06-05-2017 12:18 PM

alt text

Splunk time and the event time does not match. There is a 5 hour difference.
How to get both the timestamps under the same timezone?

Please assist.

Tags (1)
Preview file
1 KB
0 Karma
Reply

DalJeanis
Legend
‎06-05-2017 01:25 PM

Assuming your user is in Central US, then those timestamps represent the same time. The event occurred when it was 1:40 PM in London, and 8:40 AM in Chicago.

If the event time is NOT originally in UT/GMT, then it is reporting incorrectly; the Z in the event's timestamp is incorrect. You can correct that with transforms, assuming that the source is consistent about how much off it is reporting the time.

0 Karma
Reply

adonio
Ultra Champion
‎06-05-2017 12:34 PM

hello there:
read here:
https://docs.splunk.com/Documentation/Splunk/6.6.1/Data/Applytimezoneoffsetstotimestamps
it explains it better than i do
hop it helps

Reply

somesoni2
Revered Legend
‎06-05-2017 12:40 PM

Your raw event has Z in the place where you specify timezone which indicates Splunk that the login TZ is GMT. Your Splunk server/user timezone is CDT so _time is adjusted to show with current timezone.

0 Karma
Reply

niketn
Legend
‎06-05-2017 12:47 PM

One of the options to correct the timezone display for specific user is to navigate to logged user's Account Menu and choose Edit Settings Or Account Settings options and then change the Time zone to set it Eastern Time (US & Canada) to account for 5 hours difference.

Following has the screenshot of where the Account Menu is location in Splunk Web: http://docs.splunk.com/Documentation/Splunk/latest/Search/NavigatingSplunkWeb#Account_menu

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

ppanchal
Path Finder
‎06-05-2017 01:15 PM

Tried this option but did not work at all, do I need to restart splunk after the change?
Also, do I need to make these changes on the search head or the indexer?

0 Karma
Reply

somesoni2
Revered Legend
‎06-05-2017 01:58 PM

Try changing your user TZ to GMT (same as what raw data is logged with). That way they'll both show same timestamp. No restart is required and it should be done on Search Head.

0 Karma
Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...