Join the Conversation
- Find Answers
- :
- Splunk Products
- :
- Splunk Enterprise Security
- :
- Re: splunk time stamp
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
splunk time stamp
Hello,
When I'm looking at an event, there is a TIME field to the left column and then the actual event has it's own time listed as well.
Is the TIME column using the clock from my PC and the Time within the event is the time reported by the log source?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
| makeresults
| eval _time=strftime(_time,"%F %T %z")
In UTC, this result is +0000 or -0000.
Which one is actually?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The Time field is being adjusted to match your Time zone setting in your user's Preferences. Keep in mind that the timestamp of the event is not always based on the string that is in _raw. Some people are lazy and use inadvisable settings like DATETIME_CONFIG = current.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you somesoni2. Looks like I am on UTC time.
What does "strftime" stand for?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
STRing Format TIME.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Woodcock,
When I drill into my username and then perferences I see the timezone is set to "Default System Timezone". Where can I find out what the default system timezone is?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You'd need to log onto the server to see that. OR if your Timezone is set to "Default System Timezone", then you can find your timezone (which is same as system timezone in this case), by running a search like this
| makeresults | eval timezone=strftime(_time,"%Z (%z)")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The time within the event is the raw data from the source. The value in the TIME column (which I assume is _time renamed) is Splunk's interpretation of when the event happened. It should be the same as one of the time strings in the event. It will be displayed in the time zone you selected in your Splunk preferences.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I meant to say the other way around. Is the TIME column reported in UTC time and the time within the event what the log source sent?
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass
May 2026 Splunk Expert Sessions: Security & Observability
Network to App: Observability Unlocked [May & June Series]
