Getting Data In

Why is _time different between apps for the same data in Splunk Cloud?

hhGA
Communicator

Hi,

For whatever reason, I have data in Splunk Cloud which has a different _time value depending on which app you view it from. Would anybody be able to tell me what causes this?

I running identical searches for the same data, using the same user, on the same machine. The only difference is the app. I am unable to find any timezone setting for a specific app either.

Thank you in advance for your help.

0 Karma

lguinn2
Legend

Splunk always calculates the _time field in UTC (or GMT if you prefer) and stores it in the index.

When you examine the _time field, Splunk presents in the timezone that you, the user, have selected. You can see and change the timezone selection by clicking your name in the heading of the UI. Your selection is stored under your username in $SPLUNK_HOME/etc/users/<youracct>/user-prefs/local/user-prefs.conf

Although it is not common, I think it is possible to have a user-prefs.conf file within an app as well, or to have multiple user-prefs.conf files within your account and/or the apps. Splunk's normal precedence rules should apply, and this could certainly cause the symptoms that you are seeing.

If you cannot examine the individual configuration files directly, you may need help from someone who can. You won't be able to diagnose or correct this problem from the UI.

I would advise that each user be allowed to set a single timezone preference (which can be done from the UI), and that all app-specific timezone preferences be removed. Finally, remove duplicate timezone preferences for users, if any exist.

Once this is complete, each user will have the option to view the events in the timezone of their choice, that timezone will be applied consistently, and the timezone can be changed at will by the user.

hhGA
Communicator

Thank you for your explanation lguinn. I will contact Support and get them to have a look. Will mark your answer as correct when I know if this is the case.

Thanks again

0 Karma

lguinn2
Legend

We need to see the actual search that you are running. If the search uses any knowledge objects (such as tags, eventtypes, etc.), they could be defined differently in each app. Other things might be different as well.

0 Karma

hhGA
Communicator

Hi lquinn,

Thanks for the quick response. The search I am using is :

index=idx_name | eval time = _time | sort -time | table _time, time, source

_time is extracted from the file name hence why I'm tabling 'source',

There are no tags or event types associated with this data.

Also, it would seem that it is only the search and reporting app which returns a different _time value. Does this app behave differently from user-made ones in some way?

Thanks,

0 Karma

diogofgm
SplunkTrust
SplunkTrust

Is the timezone present in your raw data?

------------
Hope I was able to help you. If so, some karma would be appreciated.
0 Karma

hhGA
Communicator

Hi diogofgm,

The sourcetype for the input has a TZ value of 'Europe/London'. The time in the filename is in BST where I would like the _time field to be in UTC (GMT).

There is no timezone information in the raw data.

0 Karma
Get Updates on the Splunk Community!

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...