Re: Event Time is 4 hours ahead of the actual even... - Splunk Community

Getting Data In

Good morning, I have event time showing 4 hours ahead of the actual event. Can anyone point me in the right direction to get the difference corrected? The weird thing that when I run a search on my deployment server it watches he times match, but not on my searchheads.

Here is the props I am using for one of data sources I am seeing the difference in this is in the o365 app local folder?

[o365:management:activity]
TRUNCATE = 10485760
TIME_PREFIX = "CreationTime":\s*"
KV_MODE = json
TZ = US/Eastern

The event time is 4 hours ahead of the actual event.

Please let me know if you need more information? Thank you for your help with this.

Make sure the time zone setting accurately reflects where the event occurs. If the event timestamp is actually in UTC, then "US/Eastern" will make it look 4 hours ahead of time.

---
If this reply helps you, Karma would be appreciated.

@richgalloway
_time: 2020-03-31 12:38:29

CreationTime: 2020-03-31T08:38:29

The events are occuring in the US/Eastern - The props above changed the creation time from UTC to EST. Not the event time is showing 4 hours ahead.

Have you checked the time zone selection for your Splunk account?

---
If this reply helps you, Karma would be appreciated.

@richgalloway

There is no timezone preference set in the user-pref.conf for my user name, Should I check anywhere else? Thank you for your help with this.

Click on your name and select Preferences. Choose your local time zone from the dropdown menu.

---
If this reply helps you, Karma would be appreciated.

@richgalloway

On the one searchhead i changed it to eastern, but after logging out and logging back in, it resets to default. Do i need to look at roles preferences?

Time zones are not role-specific.
It's not necessary to log out for the time zone to take effect. Just re-run the search or refresh the browser page.

---
If this reply helps you, Karma would be appreciated.

Its not keeping the preference setting when I do that, and it should keep it when I logout and log back in.

That's a separate issue.
When you change your time zone preference, do events display the correct time?

---
If this reply helps you, Karma would be appreciated.

No they don't. They did on my other search head, but not for where the current alert is located at.

What's different between the two search heads?

---
If this reply helps you, Karma would be appreciated.

The only difference is ES is installed on the one that is not working. This alert is created in the search app.

Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open! conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor. HEC Receiver authorization ...