Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

What time is displayed in raw splunk logs

gsonal03
New Member
‎03-16-2019 09:54 AM

I am trying to debug issues related to delay in splunk forwarding or indexing in a separate splunk query "https://answers.splunk.com/answers/730136/why-are-our-splunk-indexes-not-showing-all-log-ent.html. But I would like to understand how the display of raw logs are governed, so opening a new ticket.

Attached below is a mockup of how I see logs in raw format and account settings. I have my account settings configured to GMT timezone. When I search any logs in raw format, I see each log entry beginning with EST timestamp. When I expand it, I see _time field showing time in GMT format.
How and where can I change the settings for the log entry so that it remains consistent and I can debug correct time period to view logs . The servers from where we are forwarding the logs is also in GMT time as far as I know.
Time-mockup: alt text

Tags (1)
Preview file
1 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎03-16-2019 10:32 AM

There is no such thing as time displayed in logs; there is only text displayed in logs so the thing that you see in the raw event is the unmodified text the way that the event came in.

Do you see the Raw v that is above Event that is above your timestamp?
Click on that and change it to List. You will then see a new column called Time between i and Event that shows the event's timestamp adjusted to your user's Time zone setting. BTW, List is the default so at some point you changed this (or somebody logged in as you), so don't blame Splunk!

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎03-16-2019 10:32 AM

There is no such thing as time displayed in logs; there is only text displayed in logs so the thing that you see in the raw event is the unmodified text the way that the event came in.

Do you see the Raw v that is above Event that is above your timestamp?
Click on that and change it to List. You will then see a new column called Time between i and Event that shows the event's timestamp adjusted to your user's Time zone setting. BTW, List is the default so at some point you changed this (or somebody logged in as you), so don't blame Splunk!

0 Karma
Reply
Solved! Jump to solution

gsonal03
New Member
‎03-16-2019 10:48 AM

Thanks for the explanation. I am not blaming splunk for anything, just trying to understand so it can utilized in correct manner.
With the explanation you are giving, it seems the source log file is logging in EST, that would mean the server which I assumed was in GMT is in fact in EST location. So, I need to change my account settings to EST then, to get consistent logs.
I will try this and see if it helps in finding old logs in appropriate date time range.

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎03-16-2019 10:50 AM

You've got it.

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...