Splunk Enterprise

I sees time stamp of the event one day ahead of the current date in search head

shahk
Explorer

HI,

Till yesterday it was working everything fine. Suddenly today morning I can see that for jms_ta application for topic events is being displayed with date one day ahead. While for jms queue event is displaying for the correct data but one hour ahead of current time.

Can you please tell me what could be the reason here. However we have not changed anything.

Regards,
Krimesh

Tags (1)
0 Karma

DalJeanis
SplunkTrust
SplunkTrust

You haven't specified what time zone you are in, or what time zone your logs are in. Inside of splunk the events are stored in UTC, so it is not unusual to have tomorrow's timestamps if you are in the western hemisphere.... or if the operating system or splunk system THINKS you are in the western hemisphere...

0 Karma

twinspop
Influencer

Without log samples it's tough to help. My guess would be timezone issues. If your timestamps don't explicitly indicate a timezone, you should define it in props.conf.

0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!