Why is _time different between apps for the same d...

hhGA · ‎04-18-2016

Hi,

For whatever reason, I have data in Splunk Cloud which has a different _time value depending on which app you view it from. Would anybody be able to tell me what causes this?

I running identical searches for the same data, using the same user, on the same machine. The only difference is the app. I am unable to find any timezone setting for a specific app either.

Thank you in advance for your help.

lguinn2 · ‎04-19-2016

Splunk always calculates the _time field in UTC (or GMT if you prefer) and stores it in the index.

When you examine the _time field, Splunk presents in the timezone that you, the user, have selected. You can see and change the timezone selection by clicking your name in the heading of the UI. Your selection is stored under your username in $SPLUNK_HOME/etc/users/<youracct>/user-prefs/local/user-prefs.conf

Although it is not common, I think it is possible to have a user-prefs.conf file within an app as well, or to have multiple user-prefs.conf files within your account and/or the apps. Splunk's normal precedence rules should apply, and this could certainly cause the symptoms that you are seeing.

If you cannot examine the individual configuration files directly, you may need help from someone who can. You won't be able to diagnose or correct this problem from the UI.

I would advise that each user be allowed to set a single timezone preference (which can be done from the UI), and that all app-specific timezone preferences be removed. Finally, remove duplicate timezone preferences for users, if any exist.

Once this is complete, each user will have the option to view the events in the timezone of their choice, that timezone will be applied consistently, and the timezone can be changed at will by the user.

hhGA · ‎04-28-2016

Thank you for your explanation lguinn. I will contact Support and get them to have a look. Will mark your answer as correct when I know if this is the case.

Thanks again

lguinn2 · ‎04-18-2016

We need to see the actual search that you are running. If the search uses any knowledge objects (such as tags, eventtypes, etc.), they could be defined differently in each app. Other things might be different as well.

hhGA · ‎04-19-2016

Hi lquinn,

Thanks for the quick response. The search I am using is :

index=idx_name | eval time = _time | sort -time | table _time, time, source

_time is extracted from the file name hence why I'm tabling 'source',

There are no tags or event types associated with this data.

Also, it would seem that it is only the search and reporting app which returns a different _time value. Does this app behave differently from user-made ones in some way?

Thanks,

diogofgm · ‎04-19-2016

Is the timezone present in your raw data?

------------
Hope I was able to help you. If so, some karma would be appreciated.

hhGA · ‎04-19-2016

Hi diogofgm,

The sourcetype for the input has a TZ value of 'Europe/London'. The time in the filename is in BST where I would like the _time field to be in UTC (GMT).

There is no timezone information in the raw data.

Why is _time different between apps for the same data in Splunk Cloud?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation