Getting Data In

Why is the indexed time not matching the time of the event?

abhayneilam
Contributor

Hi,

When I am giving the below search for 15th Aug 2015 :

index=_internal sourcetype=splunkd| reverse 

I am getting the below output

8/15/15 
1:14:00.381 AM  
08-14-2015 12:44:00.381 -0700 INFO  Metrics - group=pipeline, name=indexerpipe, processor=signing, cpu_seconds=0.000000, executes=176, cumulative_hits=1381281

But as per the event timestamp 08-14-2015 12:44:00.381, the event got generated on 14th Aug 2015, then why it is coming on 15th Aug 2015?

Please help me to get this mystery solved?

0 Karma

lloydd518
Path Finder

The time stamps you are seeing look correct.

The event happened at local time 14 Aug 12:44 (-7) which should be

14 Aug 19:44 GMT

When you log on to splunk with your user time zone setting ... You are also 5 hours 30 mins ahead of GMT... So your splunk server will show you a time stamp of when the event happened in your local time, so will show you 15 Aug 01:14

It's a matter of viewing logs across time zones.. Which somesoni2 was leading to.

0 Karma

somesoni2
Revered Legend

What timezone you've in your user profile?

0 Karma

abhayneilam
Contributor

i am in GMT +5:30

0 Karma

somesoni2
Revered Legend

And if you see the timezone on the events is -0700, so Splunk is converting the time to User's current timezone

0 Karma

somesoni2
Revered Legend

You can change your user profile time zone (Settings-> Access Controls -> Users -> Your user name ) to GMT-0700, you would see both times are same.

0 Karma

cramasta
Builder

And what timezone is your server set to?

0 Karma

abhayneilam
Contributor

My Server is set up to US/CANADA GMT -7:00

0 Karma

abhayneilam
Contributor

8/9/15
11:59:33.768 PM
08-09-2015 11:29:33.768 -0700 INFO Metrics - group=tpool, name=indexertpool, qsize=0, workers=2, qwork_units=0

See the above events... it got generated on 8th Aug 2015 , but it is showing for 9th Aug 2015 when selected from TimeRangePicker.

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...