When I am giving the below search for 15th Aug 2015 :
index=_internal sourcetype=splunkd| reverse
I am getting the below output
8/15/15 1:14:00.381 AM 08-14-2015 12:44:00.381 -0700 INFO Metrics - group=pipeline, name=indexerpipe, processor=signing, cpu_seconds=0.000000, executes=176, cumulative_hits=1381281
But as per the event timestamp
08-14-2015 12:44:00.381, the event got generated on 14th Aug 2015, then why it is coming on 15th Aug 2015?
Please help me to get this mystery solved?
The time stamps you are seeing look correct.
The event happened at local time 14 Aug 12:44 (-7) which should be
14 Aug 19:44 GMT
When you log on to splunk with your user time zone setting ... You are also 5 hours 30 mins ahead of GMT... So your splunk server will show you a time stamp of when the event happened in your local time, so will show you 15 Aug 01:14
It's a matter of viewing logs across time zones.. Which somesoni2 was leading to.
What timezone you've in your user profile?
i am in GMT +5:30
And if you see the timezone on the events is -0700, so Splunk is converting the time to User's current timezone
You can change your user profile time zone
(Settings-> Access Controls -> Users -> Your user name ) to GMT-0700, you would see both times are same.
And what timezone is your server set to?
My Server is set up to US/CANADA GMT -7:00
08-09-2015 11:29:33.768 -0700 INFO Metrics - group=tpool, name=indexertpool, qsize=0, workers=2, qwork_units=0
See the above events... it got generated on 8th Aug 2015 , but it is showing for 9th Aug 2015 when selected from TimeRangePicker.