- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Why is the indexed time not matching the time of t...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Why is the indexed time not matching the time of the event?
Hi,
When I am giving the below search for 15th Aug 2015 :
index=_internal sourcetype=splunkd| reverse
I am getting the below output
8/15/15
1:14:00.381 AM
08-14-2015 12:44:00.381 -0700 INFO Metrics - group=pipeline, name=indexerpipe, processor=signing, cpu_seconds=0.000000, executes=176, cumulative_hits=1381281
But as per the event timestamp 08-14-2015 12:44:00.381, the event got generated on 14th Aug 2015, then why it is coming on 15th Aug 2015?
Please help me to get this mystery solved?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The time stamps you are seeing look correct.
The event happened at local time 14 Aug 12:44 (-7) which should be
14 Aug 19:44 GMT
When you log on to splunk with your user time zone setting ... You are also 5 hours 30 mins ahead of GMT... So your splunk server will show you a time stamp of when the event happened in your local time, so will show you 15 Aug 01:14
It's a matter of viewing logs across time zones.. Which somesoni2 was leading to.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What timezone you've in your user profile?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
i am in GMT +5:30
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
And if you see the timezone on the events is -0700, so Splunk is converting the time to User's current timezone
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can change your user profile time zone (Settings-> Access Controls -> Users -> Your user name ) to GMT-0700, you would see both times are same.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
And what timezone is your server set to?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
My Server is set up to US/CANADA GMT -7:00
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
8/9/15
11:59:33.768 PM
08-09-2015 11:29:33.768 -0700 INFO Metrics - group=tpool, name=indexertpool, qsize=0, workers=2, qwork_units=0
See the above events... it got generated on 8th Aug 2015 , but it is showing for 9th Aug 2015 when selected from TimeRangePicker.
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
