Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Is _time in UTC or local time?

jdunlea
Contributor
‎03-03-2015 12:02 PM

The documentation says the following:

"Note: The _time field is stored internally in UTC format. It is translated to human-readable Unix time format when Splunk Enterprise renders the search results (the very last step of search time event processing)."

Does this mean that when I view _time using (for example) | stats count by _raw _time
that the values for the _time field are actually the number of seconds that have passed since Jan 1st 1970 in UTC or in local time?

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

cpetterborg
SplunkTrust
SplunkTrust
‎03-03-2015 04:47 PM

Timestamps are universal, but are presented with a timezone. If you are using the _time in your stats command, then it will use the timestamp as a comparison. So internally it is looking at a UTC time, not localtime, on all events. That way a timestamp for events that happen simultaneously, but in different timezones will have the same _time.

View solution in original post

Reply
Solved! Jump to solution
Solution

cpetterborg
SplunkTrust
SplunkTrust
‎03-03-2015 04:47 PM

Timestamps are universal, but are presented with a timezone. If you are using the _time in your stats command, then it will use the timestamp as a comparison. So internally it is looking at a UTC time, not localtime, on all events. That way a timestamp for events that happen simultaneously, but in different timezones will have the same _time.

Reply
Solved! Jump to solution

mendesjo
Path Finder
‎02-12-2016 12:35 PM

Yes but how do you display your query in local time? In stead of UTC?

0 Karma
Reply
Solved! Jump to solution

cpetterborg
SplunkTrust
SplunkTrust
‎02-12-2016 03:20 PM

Do you want to set the time(zone) in the query or are you referring to how the results are displayed?

0 Karma
Reply
Solved! Jump to solution

mendesjo
Path Finder
‎02-12-2016 03:26 PM

Results displayed.. Meaning when I query Splunk, first colum that says time is in UTC format. I want that to display in local time. Thanks

0 Karma
Reply
Solved! Jump to solution

GDustin
Path Finder
‎05-19-2019 10:29 AM

"Local time" where?
You specify your explicit local time in SH/SHC/SPL GUI service; "Account Setting>Time Zone"
Otherwise local time where; the source, sourcetransport, indexer, SH Servicer, etc

I don't care what timezone it is[Yes, I very much do care] but I just want it displayed in Splunk; I am constantly reviewing my account settings and having to sensitize users to review their their Account Setting>Time Zone for situational awareness. ISO standard is where no timezone then UTC-0 is assumed not the case in Splunk GUI; no timezone=Any host of settings; what ever is in the user's "Account Setting>Time Zone"; Splunk ingestion; no timezone=assumed UTC-0 - I want even playing field where Splunk eats it's dog food in the GUI with _time display.

0 Karma
Reply
Solved! Jump to solution

JoshMc
Loves-to-Learn
‎05-05-2023 07:55 AM
@GDustin wrote:

"Local time" where?
You specify your explicit local time in SH/SHC/SPL GUI service; "Account Setting>Time Zone"
Otherwise local time where; the source, sourcetransport, indexer, SH Servicer, etc

When using the Splunk UI (in a browser), then "local time" means that of the computer you're using. 

0 Karma
Reply
Get Updates on the Splunk Community!

Changes to Splunk Instructor-Led Training Completion Criteria

We’re excited to share an update to our instructor-led training program that enhances the learning experience ...

Stay Connected: Your Guide to January Tech Talks, Office Hours, and Webinars!

❄️ Welcome the new year with our January lineup of Community Office Hours, Tech Talks, and Webinars! 🎉 ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...