Getting Data In
Highlighted

Is _time in UTC or local time?

Path Finder

The documentation says the following:

"Note: The _time field is stored internally in UTC format. It is translated to human-readable Unix time format when Splunk Enterprise renders the search results (the very last step of search time event processing)."

Does this mean that when I view _time using (for example) | stats count by _raw _time
that the values for the _time field are actually the number of seconds that have passed since Jan 1st 1970 in UTC or in local time?

Tags (3)
0 Karma
Highlighted

Re: Is _time in UTC or local time?

SplunkTrust
SplunkTrust

Timestamps are universal, but are presented with a timezone. If you are using the _time in your stats command, then it will use the timestamp as a comparison. So internally it is looking at a UTC time, not localtime, on all events. That way a timestamp for events that happen simultaneously, but in different timezones will have the same _time.

View solution in original post

Highlighted

Re: Is _time in UTC or local time?

Explorer

Yes but how do you display your query in local time? In stead of UTC?

0 Karma
Highlighted

Re: Is _time in UTC or local time?

SplunkTrust
SplunkTrust

Do you want to set the time(zone) in the query or are you referring to how the results are displayed?

0 Karma
Highlighted

Re: Is _time in UTC or local time?

Explorer

Results displayed.. Meaning when I query Splunk, first colum that says time is in UTC format. I want that to display in local time. Thanks

0 Karma
Highlighted

Re: Is _time in UTC or local time?

Path Finder

"Local time" where?
You specify your explicit local time in SH/SHC/SPL GUI service; "Account Setting>Time Zone"
Otherwise local time where; the source, sourcetransport, indexer, SH Servicer, etc

I don't care what timezone it is[Yes, I very much do care] but I just want it displayed in Splunk; I am constantly reviewing my account settings and having to sensitize users to review their their Account Setting>Time Zone for situational awareness. ISO standard is where no timezone then UTC-0 is assumed not the case in Splunk GUI; no timezone=Any host of settings; what ever is in the user's "Account Setting>Time Zone"; Splunk ingestion; no timezone=assumed UTC-0 - I want even playing field where Splunk eats it's dog food in the GUI with _time display.

0 Karma