https://community.splunk.com/t5/Splunk-Enterprise-Security/splunk-time-stamp/m-p/478656#M7611 <P>Hello,</P> <P>When I'm looking at an event, there is a TIME field to the left column and then the actual event has it's own time listed as well. <BR /> Is the TIME column using the clock from my PC and the Time within the event is the time reported by the log source?</P> Thu, 02 Jan 2020 16:36:31 GMT trojan_81 2020-01-02T16:36:31Z https://community.splunk.com/t5/Splunk-Enterprise-Security/splunk-time-stamp/m-p/478656#M7611 <P>Hello,</P> <P>When I'm looking at an event, there is a TIME field to the left column and then the actual event has it's own time listed as well. <BR /> Is the TIME column using the clock from my PC and the Time within the event is the time reported by the log source?</P> Thu, 02 Jan 2020 16:36:31 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/splunk-time-stamp/m-p/478656#M7611 trojan_81 2020-01-02T16:36:31Z https://community.splunk.com/t5/Splunk-Enterprise-Security/splunk-time-stamp/m-p/478657#M7612 <P>I meant to say the other way around. Is the TIME column reported in UTC time and the time within the event what the log source sent?</P> Thu, 02 Jan 2020 16:37:56 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/splunk-time-stamp/m-p/478657#M7612 trojan_81 2020-01-02T16:37:56Z https://community.splunk.com/t5/Splunk-Enterprise-Security/splunk-time-stamp/m-p/478658#M7613 <P>The time within the event is the raw data from the source. The value in the TIME column (which I assume is _time renamed) is Splunk's interpretation of when the event happened. It should be the same as one of the time strings in the event. It will be displayed in the time zone you selected in your Splunk preferences.</P> Thu, 02 Jan 2020 16:54:09 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/splunk-time-stamp/m-p/478658#M7613 richgalloway 2020-01-02T16:54:09Z https://community.splunk.com/t5/Splunk-Enterprise-Security/splunk-time-stamp/m-p/478659#M7614 <P>The <CODE>Time</CODE> field is being adjusted to match your <CODE>Time zone</CODE> setting in your user's <CODE>Preferences</CODE>. Keep in mind that the <CODE>timestamp</CODE> of the event is not always based on the string that is in <CODE>_raw</CODE>. Some people are lazy and use inadvisable settings like <CODE>DATETIME_CONFIG = current</CODE>.</P> Thu, 02 Jan 2020 20:01:11 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/splunk-time-stamp/m-p/478659#M7614 woodcock 2020-01-02T20:01:11Z https://community.splunk.com/t5/Splunk-Enterprise-Security/splunk-time-stamp/m-p/478660#M7615 <P>Woodcock,</P> <P>When I drill into my username and then perferences I see the timezone is set to "Default System Timezone". Where can I find out what the default system timezone is?</P> Thu, 02 Jan 2020 20:21:37 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/splunk-time-stamp/m-p/478660#M7615 trojan_81 2020-01-02T20:21:37Z https://community.splunk.com/t5/Splunk-Enterprise-Security/splunk-time-stamp/m-p/478661#M7616 <P>You'd need to log onto the server to see that. OR if your Timezone is set to "Default System Timezone", then you can find your timezone (which is same as system timezone in this case), by running a search like this</P> <PRE><CODE>| makeresults | eval timezone=strftime(_time,"%Z (%z)") </CODE></PRE> Thu, 02 Jan 2020 20:34:10 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/splunk-time-stamp/m-p/478661#M7616 somesoni2 2020-01-02T20:34:10Z https://community.splunk.com/t5/Splunk-Enterprise-Security/splunk-time-stamp/m-p/478662#M7617 <P>Thank you somesoni2. Looks like I am on UTC time.<BR /> What does "strftime" stand for?</P> Thu, 02 Jan 2020 20:51:57 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/splunk-time-stamp/m-p/478662#M7617 trojan_81 2020-01-02T20:51:57Z https://community.splunk.com/t5/Splunk-Enterprise-Security/splunk-time-stamp/m-p/478663#M7618 <P><CODE>STRing Format TIME</CODE>.</P> Thu, 02 Jan 2020 21:28:20 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/splunk-time-stamp/m-p/478663#M7618 woodcock 2020-01-02T21:28:20Z https://community.splunk.com/t5/Splunk-Enterprise-Security/splunk-time-stamp/m-p/478664#M7619 <PRE><CODE>| makeresults | eval _time=strftime(_time,"%F %T %z") </CODE></PRE> <P>In UTC, this result is +0000 or -0000.<BR /> Which one is actually?</P> Thu, 02 Jan 2020 21:43:33 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/splunk-time-stamp/m-p/478664#M7619 to4kawa 2020-01-02T21:43:33Z