https://community.splunk.com/t5/Installation/Time-in-Splunk/m-p/657034#M13234 <P>Hi&nbsp;<SPAN>Giuseppe,</SPAN></P><P>so that was a parsing error - make sence because a hand full of older entries hat another formating. The majority of the entries from that older logfile where indexed correctly!</P><P>Just that I understand it - Splunk parses the event and extract a time from the event. That parsed time is stored in <STRONG>_time</STRONG>. The indextime is stored in <STRONG>_indextime</STRONG>.</P><P>In case there is not time entry in the file the indextime ist also used for <STRONG>_time</STRONG>.</P><P>Correct so far?</P><P>But what if I get events from machines in different timezones? Is <STRONG>_time</STRONG> converted fo my local timezone?&nbsp;</P><P>What does it mean when I search for events from today 6:00am till 10:00am? Does that mean 6:00am - 10:00am in my timezone? Or in the timezones of the machines?</P> Fri, 08 Sep 2023 09:14:15 GMT pck1983 2023-09-08T09:14:15Z https://community.splunk.com/t5/Installation/Time-in-Splunk/m-p/657030#M13232 <P>Hello,</P><P>I have a few questions about the time in Splunk. That is a entry from an older logfile and here the _time field and the timestamp in the log does not match!</P><TABLE><TBODY><TR><TD><SPAN class=""><SPAN>4/30/23</SPAN><BR /><SPAN>1:32:16.000 PM</SPAN></SPAN></TD><TD><DIV class=""><DIV class=""><SPAN class="">Mai</SPAN> <SPAN class="">08</SPAN> <SPAN class="">13:32:16</SPAN>&nbsp;xxxxxx&nbsp;<SPAN class="">sshd</SPAN>[<SPAN class="">3312558</SPAN>]<SPAN class="">:</SPAN> <SPAN class=""><SPAN class="">Failed</SPAN></SPAN> <SPAN class=""><SPAN class="">password</SPAN></SPAN> <SPAN class="">for</SPAN>&nbsp;yyyyyyyy&nbsp;<SPAN class="">from</SPAN> <SPAN class="">192.168.1.141</SPAN> <SPAN class="">port</SPAN> <SPAN class="">58744</SPAN> <SPAN class="">ssh2</SPAN></DIV></DIV></TD></TR></TBODY></TABLE><P>&nbsp;</P><P>How could that happen?</P><P>How does time come up with the time fields? And how does it handle files which comtain no time-stamps? Is then the index-time used?&nbsp;</P><P>Ther is a few things which I do not fully understand - maybe there is some article in the documentation which explain that in detail but I have not found with a quick search.&nbsp;</P><P>Could pleas someone clearify how splunk handle that or link to an article? Thanks!</P> Fri, 08 Sep 2023 08:43:30 GMT https://community.splunk.com/t5/Installation/Time-in-Splunk/m-p/657030#M13232 pck1983 2023-09-08T08:43:30Z https://community.splunk.com/t5/Installation/Time-in-Splunk/m-p/657031#M13233 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/260311">@pck1983</a>,</P><P>the timestamp format is defined for each sourcetype in the props.conf (for more infos see at <A href="https://docs.splunk.com/Documentation/ITSI/4.17.0/Configure/props.conf" target="_blank">https://docs.splunk.com/Documentation/ITSI/4.17.0/Configure/props.conf</A>) to deploy to the Forwarders that ingested tha log and on the Search Head.</P><P>The timestamp format definitions are described at&nbsp;<A href="https://docs.splunk.com/Documentation/SCS/current/Search/Timevariables" target="_blank">https://docs.splunk.com/Documentation/SCS/current/Search/Timevariables</A></P><P>In your case, you have to set:</P><LI-CODE lang="markup">[your_sourcetype] TIME_PREFIX = ^ TIME_FORMAT = %b %d %H:%M:%S</LI-CODE><P>Ciao.</P><P>Giuseppe</P> Fri, 08 Sep 2023 09:01:48 GMT https://community.splunk.com/t5/Installation/Time-in-Splunk/m-p/657031#M13233 gcusello 2023-09-08T09:01:48Z https://community.splunk.com/t5/Installation/Time-in-Splunk/m-p/657034#M13234 <P>Hi&nbsp;<SPAN>Giuseppe,</SPAN></P><P>so that was a parsing error - make sence because a hand full of older entries hat another formating. The majority of the entries from that older logfile where indexed correctly!</P><P>Just that I understand it - Splunk parses the event and extract a time from the event. That parsed time is stored in <STRONG>_time</STRONG>. The indextime is stored in <STRONG>_indextime</STRONG>.</P><P>In case there is not time entry in the file the indextime ist also used for <STRONG>_time</STRONG>.</P><P>Correct so far?</P><P>But what if I get events from machines in different timezones? Is <STRONG>_time</STRONG> converted fo my local timezone?&nbsp;</P><P>What does it mean when I search for events from today 6:00am till 10:00am? Does that mean 6:00am - 10:00am in my timezone? Or in the timezones of the machines?</P> Fri, 08 Sep 2023 09:14:15 GMT https://community.splunk.com/t5/Installation/Time-in-Splunk/m-p/657034#M13234 pck1983 2023-09-08T09:14:15Z https://community.splunk.com/t5/Installation/Time-in-Splunk/m-p/657035#M13235 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/260311">@pck1983</a>,</P><P>here you can find some useful description of how Splunk manages timezones:</P><P><A href="https://docs.splunk.com/Documentation/SCS/current/Search/Timezones" target="_blank">https://docs.splunk.com/Documentation/SCS/current/Search/Timezones</A></P><P><A href="https://docs.splunk.com/Documentation/SplunkCloud/latest/Data/Applytimezoneoffsetstotimestamps" target="_blank">https://docs.splunk.com/Documentation/SplunkCloud/latest/Data/Applytimezoneoffsetstotimestamps</A></P><P>In few words, yes, if Splunk isn't able to understand the timestamp, is uses the previous event timestamp or _indextime&nbsp; as _time.</P><P>Splunk automatically manages different timezones so, setting the timezone in your user preferences, you can read the timestamps using the timestamp corresponding to your timezone.</P><P>Ciao.</P><P>Giuseppe</P> Fri, 08 Sep 2023 09:27:28 GMT https://community.splunk.com/t5/Installation/Time-in-Splunk/m-p/657035#M13235 gcusello 2023-09-08T09:27:28Z