https://community.splunk.com/t5/Getting-Data-In/Timezone-issue/m-p/574887#M101596 <P>Hello,</P><P>Thank you for your replies.</P><P>Finally the "issue" was a bug in Splunk version, by restarting the universal forwarders all went back to normal.</P><P>I'm planning the upgrade right now so it should'nt happen again.</P><P>Good day.</P> Mon, 15 Nov 2021 08:45:12 GMT gilliers 2021-11-15T08:45:12Z https://community.splunk.com/t5/Getting-Data-In/Timezone-issue/m-p/573685#M101463 <P>Hello,</P><P>I have a timezone issue that I don't understand.</P><P>I have two set of indexed logs in different indexes, indexed by the same indexer. The sourcetype is the same for both. I don't explicitly modify the timezone anywhere.</P><P><BR />For the first index the _time shown is the right one (same as the one in the log itself).<span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Server 1 - _time OK" style="width: 526px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/16740i32E83940C05A3B09/image-size/large?v=v2&amp;px=999" role="button" title="Server1_OK.jpg" alt="Server 1 - _time OK" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Server 1 - _time OK</span></span><BR />For the second index the _time is 1 hour behind since the daylight saving time a few days ago. If I look at the _time field, it has however the right date_hour but it shows something different.<span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Server2 - _time wrong" style="width: 581px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/16739i1DE7D6C81F6CEEF0/image-size/large?v=v2&amp;px=999" role="button" title="Server2_KO.jpg" alt="Server2 - _time wrong" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Server2 - _time wrong</span></span></P><P>I chec<SPAN>ke</SPAN><SPAN>d on the servers where the logs are generated but they are running the same (and right) timezone: CET</SPAN><SPAN>.</SPAN></P><P>I am lost about this issue, any suggestions on where I should look?</P> Thu, 04 Nov 2021 20:30:43 GMT https://community.splunk.com/t5/Getting-Data-In/Timezone-issue/m-p/573685#M101463 gilliers 2021-11-04T20:30:43Z https://community.splunk.com/t5/Getting-Data-In/Timezone-issue/m-p/573695#M101464 <P><A href="https://docs.splunk.com/Documentation/Splunk/8.2.3/Knowledge/Usedefaultfields#Default_datetime_fields" target="_blank">https://docs.splunk.com/Documentation/Splunk/8.2.3/Knowledge/Usedefaultfields#Default_datetime_fields</A></P><P>"The datetime values are the literal values parsed from the event when it is indexed, regardless of its timezone"</P><P>That's why I'd rather believe _time (if your time extraction is working properly) than date_* fields.</P> Thu, 04 Nov 2021 21:07:13 GMT https://community.splunk.com/t5/Getting-Data-In/Timezone-issue/m-p/573695#M101464 PickleRick 2021-11-04T21:07:13Z https://community.splunk.com/t5/Getting-Data-In/Timezone-issue/m-p/573696#M101465 <P>Hello,</P><P>Thanks for your reply.</P><P>If I look at the raw datas, the datetime value in the log entry is the one expected, not the wrong one (16:27:16 for the second server, not 15:27:16).</P> Thu, 04 Nov 2021 21:10:21 GMT https://community.splunk.com/t5/Getting-Data-In/Timezone-issue/m-p/573696#M101465 gilliers 2021-11-04T21:10:21Z https://community.splunk.com/t5/Getting-Data-In/Timezone-issue/m-p/573698#M101466 <P>Yes. That's understandable. The date_hour field should correspond to the hour part from the raw event. "local" in date_zone suggests that the timestamp in raw event didn't have the timezone information.</P><P>Therefore - if you say that you don't explicitly manipulate timezone - the event must have been parsed according to the local time zone of the HF or indexer. And now the question I cannot answer is whether the data in the raw event is in your local timezone and is not recalculated correctly by the parser or is it sent with a wrong timezone.</P><P>Anyway, it looks that some explicit TZ setting could be useful.</P> Thu, 04 Nov 2021 21:24:38 GMT https://community.splunk.com/t5/Getting-Data-In/Timezone-issue/m-p/573698#M101466 PickleRick 2021-11-04T21:24:38Z https://community.splunk.com/t5/Getting-Data-In/Timezone-issue/m-p/574887#M101596 <P>Hello,</P><P>Thank you for your replies.</P><P>Finally the "issue" was a bug in Splunk version, by restarting the universal forwarders all went back to normal.</P><P>I'm planning the upgrade right now so it should'nt happen again.</P><P>Good day.</P> Mon, 15 Nov 2021 08:45:12 GMT https://community.splunk.com/t5/Getting-Data-In/Timezone-issue/m-p/574887#M101596 gilliers 2021-11-15T08:45:12Z