Good morning, I have event time showing 4 hours ahead of the actual event. Can anyone point me in the right direction to get the difference corrected? The weird thing that when I run a search on my deployment server it watches he times match, but not on my searchheads.
Here is the props I am using for one of data sources I am seeing the difference in this is in the o365 app local folder?
[o365:management:activity]
TRUNCATE = 10485760
TIME_PREFIX = "CreationTime":\s*"
KV_MODE = json
TZ = US/Eastern
The event time is 4 hours ahead of the actual event.
Please let me know if you need more information? Thank you for your help with this.
Make sure the time zone setting accurately reflects where the event occurs. If the event timestamp is actually in UTC, then "US/Eastern" will make it look 4 hours ahead of time.
@richgalloway
_time: 2020-03-31 12:38:29
CreationTime: 2020-03-31T08:38:29
The events are occuring in the US/Eastern - The props above changed the creation time from UTC to EST. Not the event time is showing 4 hours ahead.
Have you checked the time zone selection for your Splunk account?
@richgalloway
There is no timezone preference set in the user-pref.conf for my user name, Should I check anywhere else? Thank you for your help with this.
Click on your name and select Preferences. Choose your local time zone from the dropdown menu.
@richgalloway
On the one searchhead i changed it to eastern, but after logging out and logging back in, it resets to default. Do i need to look at roles preferences?
Time zones are not role-specific.
It's not necessary to log out for the time zone to take effect. Just re-run the search or refresh the browser page.
Its not keeping the preference setting when I do that, and it should keep it when I logout and log back in.
That's a separate issue.
When you change your time zone preference, do events display the correct time?
No they don't. They did on my other search head, but not for where the current alert is located at.
What's different between the two search heads?
The only difference is ES is installed on the one that is not working. This alert is created in the search app.