Splunk Enterprise

I sees time stamp of the event one day ahead of the current date in search head



Till yesterday it was working everything fine. Suddenly today morning I can see that for jms_ta application for topic events is being displayed with date one day ahead. While for jms queue event is displaying for the correct data but one hour ahead of current time.

Can you please tell me what could be the reason here. However we have not changed anything.


You haven't specified what time zone you are in, or what time zone your logs are in. Inside of splunk the events are stored in UTC, so it is not unusual to have tomorrow's timestamps if you are in the western hemisphere.... or if the operating system or splunk system THINKS you are in the western hemisphere...

Without log samples it's tough to help. My guess would be timezone issues. If your timestamps don't explicitly indicate a timezone, you should define it in props.conf.

