Getting Data In

Why is the indexed time not matching the time of the event?

abhayneilam
Contributor

Hi,

When I am giving the below search for 15th Aug 2015 :

index=_internal sourcetype=splunkd| reverse 

I am getting the below output

8/15/15 
1:14:00.381 AM  
08-14-2015 12:44:00.381 -0700 INFO  Metrics - group=pipeline, name=indexerpipe, processor=signing, cpu_seconds=0.000000, executes=176, cumulative_hits=1381281

But as per the event timestamp 08-14-2015 12:44:00.381, the event got generated on 14th Aug 2015, then why it is coming on 15th Aug 2015?

Please help me to get this mystery solved?

0 Karma

lloydd518
Path Finder

The time stamps you are seeing look correct.

The event happened at local time 14 Aug 12:44 (-7) which should be

14 Aug 19:44 GMT

When you log on to splunk with your user time zone setting ... You are also 5 hours 30 mins ahead of GMT... So your splunk server will show you a time stamp of when the event happened in your local time, so will show you 15 Aug 01:14

It's a matter of viewing logs across time zones.. Which somesoni2 was leading to.

0 Karma

somesoni2
Revered Legend

What timezone you've in your user profile?

0 Karma

abhayneilam
Contributor

i am in GMT +5:30

0 Karma

somesoni2
Revered Legend

And if you see the timezone on the events is -0700, so Splunk is converting the time to User's current timezone

0 Karma

somesoni2
Revered Legend

You can change your user profile time zone (Settings-> Access Controls -> Users -> Your user name ) to GMT-0700, you would see both times are same.

0 Karma

cramasta
Builder

And what timezone is your server set to?

0 Karma

abhayneilam
Contributor

My Server is set up to US/CANADA GMT -7:00

0 Karma

abhayneilam
Contributor

8/9/15
11:59:33.768 PM
08-09-2015 11:29:33.768 -0700 INFO Metrics - group=tpool, name=indexertpool, qsize=0, workers=2, qwork_units=0

See the above events... it got generated on 8th Aug 2015 , but it is showing for 9th Aug 2015 when selected from TimeRangePicker.

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...

Edge Processor Scaling, Energy & Manufacturing Use Cases, and More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Get More Out of Your Security Practice With a SIEM

Get More Out of Your Security Practice With a SIEMWednesday, July 31, 2024  |  11AM PT / 2PM ETREGISTER ...