Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Is _time in UTC or local time?

jdunlea
Contributor
‎03-03-2015 12:02 PM

The documentation says the following:

"Note: The _time field is stored internally in UTC format. It is translated to human-readable Unix time format when Splunk Enterprise renders the search results (the very last step of search time event processing)."

Does this mean that when I view _time using (for example) | stats count by _raw _time
that the values for the _time field are actually the number of seconds that have passed since Jan 1st 1970 in UTC or in local time?

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

cpetterborg
SplunkTrust
SplunkTrust
‎03-03-2015 04:47 PM

Timestamps are universal, but are presented with a timezone. If you are using the _time in your stats command, then it will use the timestamp as a comparison. So internally it is looking at a UTC time, not localtime, on all events. That way a timestamp for events that happen simultaneously, but in different timezones will have the same _time.

View solution in original post

Reply
Solved! Jump to solution
Solution

cpetterborg
SplunkTrust
SplunkTrust
‎03-03-2015 04:47 PM

Timestamps are universal, but are presented with a timezone. If you are using the _time in your stats command, then it will use the timestamp as a comparison. So internally it is looking at a UTC time, not localtime, on all events. That way a timestamp for events that happen simultaneously, but in different timezones will have the same _time.

Reply
Solved! Jump to solution

mendesjo
Path Finder
‎02-12-2016 12:35 PM

Yes but how do you display your query in local time? In stead of UTC?

0 Karma
Reply
Solved! Jump to solution

cpetterborg
SplunkTrust
SplunkTrust
‎02-12-2016 03:20 PM

Do you want to set the time(zone) in the query or are you referring to how the results are displayed?

0 Karma
Reply
Solved! Jump to solution

mendesjo
Path Finder
‎02-12-2016 03:26 PM

Results displayed.. Meaning when I query Splunk, first colum that says time is in UTC format. I want that to display in local time. Thanks

0 Karma
Reply
Solved! Jump to solution

GDustin
Path Finder
‎05-19-2019 10:29 AM

"Local time" where?
You specify your explicit local time in SH/SHC/SPL GUI service; "Account Setting>Time Zone"
Otherwise local time where; the source, sourcetransport, indexer, SH Servicer, etc

I don't care what timezone it is[Yes, I very much do care] but I just want it displayed in Splunk; I am constantly reviewing my account settings and having to sensitize users to review their their Account Setting>Time Zone for situational awareness. ISO standard is where no timezone then UTC-0 is assumed not the case in Splunk GUI; no timezone=Any host of settings; what ever is in the user's "Account Setting>Time Zone"; Splunk ingestion; no timezone=assumed UTC-0 - I want even playing field where Splunk eats it's dog food in the GUI with _time display.

0 Karma
Reply
Solved! Jump to solution

JoshMc
Loves-to-Learn
‎05-05-2023 07:55 AM
@GDustin wrote:

"Local time" where?
You specify your explicit local time in SH/SHC/SPL GUI service; "Account Setting>Time Zone"
Otherwise local time where; the source, sourcetransport, indexer, SH Servicer, etc

When using the Splunk UI (in a browser), then "local time" means that of the computer you're using. 

0 Karma
Reply
Get Updates on the Splunk Community!

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...

Adoption of Infrastructure Monitoring at Splunk

  Splunk's Growth Engineering team showcases one of their first Splunk product adoption-Splunk Infrastructure ...

Modern way of developing distributed application using OTel

Recently, I had the opportunity to work on a complex microservice using Spring boot and Quarkus to develop a ...