Getting Data In

Event Time is 4 hours ahead of the actual event.

djreschke
Communicator

Good morning, I have event time showing 4 hours ahead of the actual event. Can anyone point me in the right direction to get the difference corrected? The weird thing that when I run a search on my deployment server it watches he times match, but not on my searchheads.

Here is the props I am using for one of data sources I am seeing the difference in this is in the o365 app local folder?

[o365:management:activity]
TRUNCATE = 10485760
TIME_PREFIX = "CreationTime":\s*"
KV_MODE = json
TZ = US/Eastern

The event time is 4 hours ahead of the actual event.

Please let me know if you need more information? Thank you for your help with this.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Make sure the time zone setting accurately reflects where the event occurs. If the event timestamp is actually in UTC, then "US/Eastern" will make it look 4 hours ahead of time.

---
If this reply helps you, Karma would be appreciated.
0 Karma

djreschke
Communicator

@richgalloway
_time: 2020-03-31 12:38:29

CreationTime: 2020-03-31T08:38:29

The events are occuring in the US/Eastern - The props above changed the creation time from UTC to EST. Not the event time is showing 4 hours ahead.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Have you checked the time zone selection for your Splunk account?

---
If this reply helps you, Karma would be appreciated.
0 Karma

djreschke
Communicator

@richgalloway

There is no timezone preference set in the user-pref.conf for my user name, Should I check anywhere else? Thank you for your help with this.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Click on your name and select Preferences. Choose your local time zone from the dropdown menu.

---
If this reply helps you, Karma would be appreciated.
0 Karma

djreschke
Communicator

@richgalloway

On the one searchhead i changed it to eastern, but after logging out and logging back in, it resets to default. Do i need to look at roles preferences?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Time zones are not role-specific.
It's not necessary to log out for the time zone to take effect. Just re-run the search or refresh the browser page.

---
If this reply helps you, Karma would be appreciated.
0 Karma

djreschke
Communicator

Its not keeping the preference setting when I do that, and it should keep it when I logout and log back in.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

That's a separate issue.
When you change your time zone preference, do events display the correct time?

---
If this reply helps you, Karma would be appreciated.
0 Karma

djreschke
Communicator

No they don't. They did on my other search head, but not for where the current alert is located at.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

What's different between the two search heads?

---
If this reply helps you, Karma would be appreciated.
0 Karma

djreschke
Communicator

The only difference is ES is installed on the one that is not working. This alert is created in the search app.

0 Karma
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...