The documentation says the following:
"Note: The _time field is stored internally in UTC format. It is translated to human-readable Unix time format when Splunk Enterprise renders the search results (the very last step of search time event processing)."
Does this mean that when I view _time using (for example)
| stats count by _raw _time
that the values for the _time field are actually the number of seconds that have passed since Jan 1st 1970 in UTC or in local time?
Timestamps are universal, but are presented with a timezone. If you are using the
_time in your
stats command, then it will use the timestamp as a comparison. So internally it is looking at a UTC time, not localtime, on all events. That way a timestamp for events that happen simultaneously, but in different timezones will have the same
Results displayed.. Meaning when I query Splunk, first colum that says time is in UTC format. I want that to display in local time. Thanks
"Local time" where?
You specify your explicit local time in SH/SHC/SPL GUI service; "Account Setting>Time Zone"
Otherwise local time where; the source, sourcetransport, indexer, SH Servicer, etc
I don't care what timezone it is[Yes, I very much do care] but I just want it displayed in Splunk; I am constantly reviewing my account settings and having to sensitize users to review their their Account Setting>Time Zone for situational awareness. ISO standard is where no timezone then UTC-0 is assumed not the case in Splunk GUI; no timezone=Any host of settings; what ever is in the user's "Account Setting>Time Zone"; Splunk ingestion; no timezone=assumed UTC-0 - I want even playing field where Splunk eats it's dog food in the GUI with _time display.