Hi,
For whatever reason, I have data in Splunk Cloud which has a different _time value depending on which app you view it from. Would anybody be able to tell me what causes this?
I running identical searches for the same data, using the same user, on the same machine. The only difference is the app. I am unable to find any timezone setting for a specific app either.
Thank you in advance for your help.
Splunk always calculates the _time field in UTC (or GMT if you prefer) and stores it in the index.
When you examine the _time field, Splunk presents in the timezone that you, the user, have selected. You can see and change the timezone selection by clicking your name in the heading of the UI. Your selection is stored under your username in $SPLUNK_HOME/etc/users/<youracct>/user-prefs/local/user-prefs.conf
Although it is not common, I think it is possible to have a user-prefs.conf
file within an app as well, or to have multiple user-prefs.conf
files within your account and/or the apps. Splunk's normal precedence rules should apply, and this could certainly cause the symptoms that you are seeing.
If you cannot examine the individual configuration files directly, you may need help from someone who can. You won't be able to diagnose or correct this problem from the UI.
I would advise that each user be allowed to set a single timezone preference (which can be done from the UI), and that all app-specific timezone preferences be removed. Finally, remove duplicate timezone preferences for users, if any exist.
Once this is complete, each user will have the option to view the events in the timezone of their choice, that timezone will be applied consistently, and the timezone can be changed at will by the user.
Thank you for your explanation lguinn. I will contact Support and get them to have a look. Will mark your answer as correct when I know if this is the case.
Thanks again
We need to see the actual search that you are running. If the search uses any knowledge objects (such as tags, eventtypes, etc.), they could be defined differently in each app. Other things might be different as well.
Hi lquinn,
Thanks for the quick response. The search I am using is :
index=idx_name | eval time = _time | sort -time | table _time, time, source
_time is extracted from the file name hence why I'm tabling 'source',
There are no tags or event types associated with this data.
Also, it would seem that it is only the search and reporting app which returns a different _time value. Does this app behave differently from user-made ones in some way?
Thanks,
Is the timezone present in your raw data?
Hi diogofgm,
The sourcetype for the input has a TZ value of 'Europe/London'. The time in the filename is in BST where I would like the _time field to be in UTC (GMT).
There is no timezone information in the raw data.