topic Re: Time Stamp i(All time vs 15 min) in Getting Data In

Time Stamp i(All time vs 15 min)

tmarlette — Wed, 26 Feb 2014 14:32:40 GMT

When I do a search on my search head for all time, I see correct time stamps in standard EST. When I do a 15 minute search, I see time stamps from 5 hours ago.

My search head and indexer are both set to CST on the OS, and the logs are coming in in EST which has been defined in props.conf.

Does anyone know why this could be happening?

This is an image of my sourcetype time stamps, vs my system clock (CST).

Re: Time Stamp i(All time vs 15 min)

lukejadamec — Wed, 26 Feb 2014 14:42:11 GMT

What is your splunk user timezone property set to?

Re: Time Stamp i(All time vs 15 min)

tmarlette — Wed, 26 Feb 2014 14:45:44 GMT

It is set to EST

Re: Time Stamp i(All time vs 15 min)

tmarlette — Wed, 26 Feb 2014 15:48:00 GMT

This is also happening on any user that logs into my search head.

Re: Time Stamp i(All time vs 15 min)

lukejadamec — Wed, 26 Feb 2014 15:56:08 GMT

Is this for all data, or just certain sources?

Re: Time Stamp i(All time vs 15 min)

tmarlette — Wed, 26 Feb 2014 16:03:11 GMT

This is happening on all sourcetypes. I'm sure there is a global setting somewhere that I am missing, but I couldn't tell you what it is to save my life.

Re: Time Stamp i(All time vs 15 min)

tmarlette — Wed, 26 Feb 2014 16:04:05 GMT

That includes windows Perfmon

Re: Time Stamp i(All time vs 15 min)

lukejadamec — Wed, 26 Feb 2014 20:22:21 GMT

Splunk thinks your system time is GMT, so since your user timezone is set to EST it is adjusting the displayed time. You can check this by setting your user timezone to GMT.
I'm also curious about the timestamps in the _raw output

Re: Time Stamp i(All time vs 15 min)

tmarlette — Wed, 26 Feb 2014 20:29:36 GMT

Raw print of an event for 15 minute search of a sourcetype:

Query:
sourcetype= | table _raw

INFO
UserSession for * [7] user Adapter [1]>

Re: Time Stamp i(All time vs 15 min)

lukejadamec — Wed, 26 Feb 2014 20:43:14 GMT

If this is a recent event, then the timestamp is GMT.
Are you configuring the TZ in props.conf on the indexer by host?

Re: Time Stamp i(All time vs 15 min)

tmarlette — Wed, 26 Feb 2014 20:58:28 GMT

negative... but when I looked at my OS on both the indexer and the SH it was in GMT. I set it to CST during install, and didnt' check it after that. I am reconfiguring it now to be in EST and we will see what happens.

Re: Time Stamp i(All time vs 15 min)

tmarlette — Wed, 26 Feb 2014 21:42:45 GMT

In lukejadamec's comments, he mentioned that splunk thought my system time was off. I set the time zone and time settings manually during OS installation, but never checked them after that. When i did, they reflected GMT time.

I adjusted these settings to EST, and all timestamps are current now, and the issue has been resolved.

Re: Time Stamp i(All time vs 15 min)

lukejadamec — Wed, 26 Feb 2014 22:13:28 GMT

Yea. This was starting to give me heartburn 🙂