Solved: timezone for _time is off by one hour and nothing ...

coleman07 · ‎04-01-2016

I am using eventgen to send license_usage data to a test splunk server. I looked at what was being sent and the time is set to -0700 which is Mountain Daylight time. My server on my VM is Centos 6 running on Mountain Daylight time and my Mac which has my browser is also set to Mountain Daylight time. Here is the event sent to the server:

03-31-2016 00:00:00.000002 -0700 INFO  LicenseUsage - type=RolloverSummary pool="auto_generated_pool_enterprise" slave="02AF8C6E-219F-4598-B8D5-C5D8CE74F8C7" poolsz=177167400960 b=31072775414 stack="enterprise" stacksz=177167400960

On the left side of the event list where it shows the time, it says 1:00:00.000 AM and when looking at the _time value listed when you click the left cell, it shows the time as 2016-03-31T01:00:00.000-06:00

I have no clue where the -0600 is coming from since everything is set to -0700. It is my understanding that 6.2 uses the timezone in the date if specified then the TZ variable, ... I did add a TZ variable to my props.conf file in the local app using eventgen and also in eventgen but that made no difference which makes sense since the event has -0700. Where do I look? Any clues?

coleman07 · ‎04-04-2016

When time changes during Daylight Saving's, the computer's clock has a different numerical timezone value, i.e -0600 vs -0700. I am posting this here because others may forget this small detail which I did.

View solution in original post

mprreddy51 · ‎04-04-2016

check the latency by using this query

index=” YOURINDEXNAME” | eval indexed_time=strftime(_indextime, "%+") | eval latency=_time-_indextime|table _time,indexed_time,latency,index,source,sourcetype,_raw

and check how much delay it is in latency.If you want to make 0 latency use this (DATE_CONFIG=current) in props.conf

My guess for the difference will vary on many factors....

hope this helps

coleman07 · ‎04-04-2016

When time changes during Daylight Saving's, the computer's clock has a different numerical timezone value, i.e -0600 vs -0700. I am posting this here because others may forget this small detail which I did.

woodcock · ‎04-04-2016

You should "Accept" your answer if it is the correct(est) one and "upvote" any other answers/comments that were of assistance to you.

woodcock · ‎04-02-2016

Splunk also normalizes YOUR time, both coming in (through the time-picker: when exactly is Yesterday?) and going out (the Time column in List mode on the Events tab) for the user's personal TZ via Your UserName -> Edit account -> Time zone. Yours probably has a value of -0600.

coleman07 · ‎04-04-2016

I didn't realize when we switched to MDT , the -0700 changes to -0600. I checked date "+%z" and it is -0600 so it all makes sense. Thanks to both sideview and woodcock.

sideview · ‎04-01-2016

This may qualify me for the captain obvious hat... but this is almost certainly an inconsistency related to DST handling. Not saying it's not a bug, but that might help you narrow down where it's coming from.

timezone for _time is off by one hour and nothing makes sense as to why

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

Logs to Metrics

Developer Spotlight with Paul Stout