topic Event Time is 4 hours ahead of the actual event. in Getting Data In

Event Time is 4 hours ahead of the actual event.

djreschke — Wed, 30 Sep 2020 04:47:54 GMT

Good morning, I have event time showing 4 hours ahead of the actual event. Can anyone point me in the right direction to get the difference corrected? The weird thing that when I run a search on my deployment server it watches he times match, but not on my searchheads.

Here is the props I am using for one of data sources I am seeing the difference in this is in the o365 app local folder?

[o365:management:activity]
TRUNCATE = 10485760
TIME_PREFIX = "CreationTime":\s*"
KV_MODE = json
TZ = US/Eastern

The event time is 4 hours ahead of the actual event.

Please let me know if you need more information? Thank you for your help with this.

Re: Event Time is 4 hours ahead of the actual event.

richgalloway — Tue, 31 Mar 2020 12:33:09 GMT

Make sure the time zone setting accurately reflects where the event occurs. If the event timestamp is actually in UTC, then "US/Eastern" will make it look 4 hours ahead of time.

Re: Event Time is 4 hours ahead of the actual event.

djreschke — Tue, 31 Mar 2020 12:42:35 GMT

@richgalloway
_time: 2020-03-31 12:38:29

CreationTime: 2020-03-31T08:38:29

The events are occuring in the US/Eastern - The props above changed the creation time from UTC to EST. Not the event time is showing 4 hours ahead.

Re: Event Time is 4 hours ahead of the actual event.

richgalloway — Tue, 31 Mar 2020 12:56:37 GMT

Have you checked the time zone selection for your Splunk account?

Re: Event Time is 4 hours ahead of the actual event.

djreschke — Tue, 31 Mar 2020 13:07:16 GMT

@richgalloway

There is no timezone preference set in the user-pref.conf for my user name, Should I check anywhere else? Thank you for your help with this.

Re: Event Time is 4 hours ahead of the actual event.

richgalloway — Tue, 31 Mar 2020 13:38:48 GMT

Click on your name and select Preferences. Choose your local time zone from the dropdown menu.

Re: Event Time is 4 hours ahead of the actual event.

djreschke — Tue, 31 Mar 2020 13:51:34 GMT

@richgalloway

On the one searchhead i changed it to eastern, but after logging out and logging back in, it resets to default. Do i need to look at roles preferences?

Re: Event Time is 4 hours ahead of the actual event.

richgalloway — Tue, 31 Mar 2020 14:22:32 GMT

Time zones are not role-specific.
It's not necessary to log out for the time zone to take effect. Just re-run the search or refresh the browser page.

Re: Event Time is 4 hours ahead of the actual event.

djreschke — Tue, 31 Mar 2020 14:43:12 GMT

Its not keeping the preference setting when I do that, and it should keep it when I logout and log back in.

Re: Event Time is 4 hours ahead of the actual event.

richgalloway — Tue, 31 Mar 2020 15:17:21 GMT

That's a separate issue.
When you change your time zone preference, do events display the correct time?

Re: Event Time is 4 hours ahead of the actual event.

djreschke — Tue, 31 Mar 2020 15:19:32 GMT

No they don't. They did on my other search head, but not for where the current alert is located at.

Re: Event Time is 4 hours ahead of the actual event.

richgalloway — Tue, 31 Mar 2020 17:39:05 GMT

What's different between the two search heads?

Re: Event Time is 4 hours ahead of the actual event.

djreschke — Tue, 31 Mar 2020 17:42:37 GMT

The only difference is ES is installed on the one that is not working. This alert is created in the search app.