Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

What time is displayed in raw splunk logs

gsonal03
New Member
‎03-16-2019 09:54 AM

I am trying to debug issues related to delay in splunk forwarding or indexing in a separate splunk query "https://answers.splunk.com/answers/730136/why-are-our-splunk-indexes-not-showing-all-log-ent.html. But I would like to understand how the display of raw logs are governed, so opening a new ticket.

Attached below is a mockup of how I see logs in raw format and account settings. I have my account settings configured to GMT timezone. When I search any logs in raw format, I see each log entry beginning with EST timestamp. When I expand it, I see _time field showing time in GMT format.
How and where can I change the settings for the log entry so that it remains consistent and I can debug correct time period to view logs . The servers from where we are forwarding the logs is also in GMT time as far as I know.
Time-mockup: alt text

Tags (1)
Preview file
1 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎03-16-2019 10:32 AM

There is no such thing as time displayed in logs; there is only text displayed in logs so the thing that you see in the raw event is the unmodified text the way that the event came in.

Do you see the Raw v that is above Event that is above your timestamp?
Click on that and change it to List. You will then see a new column called Time between i and Event that shows the event's timestamp adjusted to your user's Time zone setting. BTW, List is the default so at some point you changed this (or somebody logged in as you), so don't blame Splunk!

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎03-16-2019 10:32 AM

There is no such thing as time displayed in logs; there is only text displayed in logs so the thing that you see in the raw event is the unmodified text the way that the event came in.

Do you see the Raw v that is above Event that is above your timestamp?
Click on that and change it to List. You will then see a new column called Time between i and Event that shows the event's timestamp adjusted to your user's Time zone setting. BTW, List is the default so at some point you changed this (or somebody logged in as you), so don't blame Splunk!

0 Karma
Reply
Solved! Jump to solution

gsonal03
New Member
‎03-16-2019 10:48 AM

Thanks for the explanation. I am not blaming splunk for anything, just trying to understand so it can utilized in correct manner.
With the explanation you are giving, it seems the source log file is logging in EST, that would mean the server which I assumed was in GMT is in fact in EST location. So, I need to change my account settings to EST then, to get consistent logs.
I will try this and see if it helps in finding old logs in appropriate date time range.

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎03-16-2019 10:50 AM

You've got it.

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | Forward, I’m heavy; backward, I’m not. What am I?

April 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

A Guide To Cloud Migration Success

As enterprises’ rapid expansion to the cloud continues, IT leaders are continuously looking for ways to focus ...

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...