Getting Data In

Why is the indexed time not matching the time of the event?

abhayneilam
Contributor

Hi,

When I am giving the below search for 15th Aug 2015 :

index=_internal sourcetype=splunkd| reverse 

I am getting the below output

8/15/15 
1:14:00.381 AM  
08-14-2015 12:44:00.381 -0700 INFO  Metrics - group=pipeline, name=indexerpipe, processor=signing, cpu_seconds=0.000000, executes=176, cumulative_hits=1381281

But as per the event timestamp 08-14-2015 12:44:00.381, the event got generated on 14th Aug 2015, then why it is coming on 15th Aug 2015?

Please help me to get this mystery solved?

0 Karma

lloydd518
Path Finder

The time stamps you are seeing look correct.

The event happened at local time 14 Aug 12:44 (-7) which should be

14 Aug 19:44 GMT

When you log on to splunk with your user time zone setting ... You are also 5 hours 30 mins ahead of GMT... So your splunk server will show you a time stamp of when the event happened in your local time, so will show you 15 Aug 01:14

It's a matter of viewing logs across time zones.. Which somesoni2 was leading to.

0 Karma

somesoni2
Revered Legend

What timezone you've in your user profile?

0 Karma

abhayneilam
Contributor

i am in GMT +5:30

0 Karma

somesoni2
Revered Legend

And if you see the timezone on the events is -0700, so Splunk is converting the time to User's current timezone

0 Karma

somesoni2
Revered Legend

You can change your user profile time zone (Settings-> Access Controls -> Users -> Your user name ) to GMT-0700, you would see both times are same.

0 Karma

cramasta
Builder

And what timezone is your server set to?

0 Karma

abhayneilam
Contributor

My Server is set up to US/CANADA GMT -7:00

0 Karma

abhayneilam
Contributor

8/9/15
11:59:33.768 PM
08-09-2015 11:29:33.768 -0700 INFO Metrics - group=tpool, name=indexertpool, qsize=0, workers=2, qwork_units=0

See the above events... it got generated on 8th Aug 2015 , but it is showing for 9th Aug 2015 when selected from TimeRangePicker.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...