https://community.splunk.com/t5/Splunk-Search/quot-Last-15-min-quot-refers-to-event-time-or-index-time/m-p/175775#M50490 <P>That refers to the event's time, namely the <CODE>_time</CODE> field.</P> <P>All times in the UI are in the Splunk user's timezone, which defaults to the Search Head timezone.<BR /> For indexing other timezones where the event doesn't specify the timezone you can set the timezone for a host in props.conf like this:</P> <PRE><CODE>[host::some_host] TZ = timezone </CODE></PRE> <P>See <A href="http://docs.splunk.com/Documentation/Splunk/6.1.3/Admin/propsconf">http://docs.splunk.com/Documentation/Splunk/6.1.3/Admin/propsconf</A> for reference.</P> <P>If you want to search for the last 15 minutes by index time you can search over all time using this:</P> <PRE><CODE>_index_earliest=-15m _index_latest=now actual search goes here </CODE></PRE> Fri, 08 Aug 2014 08:45:59 GMT martin_mueller 2014-08-08T08:45:59Z https://community.splunk.com/t5/Splunk-Search/quot-Last-15-min-quot-refers-to-event-time-or-index-time/m-p/175774#M50489 <P>"Last 15 minutes" - Is this referring to index time (or) Events time ?</P> <P>I have hosts located in different timezones, and my Search head &amp; indexers running in GMT TZ.<BR /> So,when I do a search for say.,"Last 15 min" , this refers to GMT's timezones last 15 minute ?</P> <P>I am referring to this since, i might miss data in my search result as host's event time are in their native TZ format which will not be shown for my search</P> Fri, 08 Aug 2014 08:35:08 GMT https://community.splunk.com/t5/Splunk-Search/quot-Last-15-min-quot-refers-to-event-time-or-index-time/m-p/175774#M50489 splunker12er 2014-08-08T08:35:08Z https://community.splunk.com/t5/Splunk-Search/quot-Last-15-min-quot-refers-to-event-time-or-index-time/m-p/175775#M50490 <P>That refers to the event's time, namely the <CODE>_time</CODE> field.</P> <P>All times in the UI are in the Splunk user's timezone, which defaults to the Search Head timezone.<BR /> For indexing other timezones where the event doesn't specify the timezone you can set the timezone for a host in props.conf like this:</P> <PRE><CODE>[host::some_host] TZ = timezone </CODE></PRE> <P>See <A href="http://docs.splunk.com/Documentation/Splunk/6.1.3/Admin/propsconf">http://docs.splunk.com/Documentation/Splunk/6.1.3/Admin/propsconf</A> for reference.</P> <P>If you want to search for the last 15 minutes by index time you can search over all time using this:</P> <PRE><CODE>_index_earliest=-15m _index_latest=now actual search goes here </CODE></PRE> Fri, 08 Aug 2014 08:45:59 GMT https://community.splunk.com/t5/Splunk-Search/quot-Last-15-min-quot-refers-to-event-time-or-index-time/m-p/175775#M50490 martin_mueller 2014-08-08T08:45:59Z https://community.splunk.com/t5/Splunk-Search/quot-Last-15-min-quot-refers-to-event-time-or-index-time/m-p/175776#M50491 <P>Martin has answered your question.</P> <P>Suppose if you need index time. Use _indextime field.</P> <P>Example:<BR /> index= your_index earliest=-10m@m | dedup _indextime | eval indextime=strftime(_indextime,"%Y-%m-%d %H:%M:%S") | table indextime</P> Mon, 28 Sep 2020 17:17:40 GMT https://community.splunk.com/t5/Splunk-Search/quot-Last-15-min-quot-refers-to-event-time-or-index-time/m-p/175776#M50491 strive 2020-09-28T17:17:40Z