Splunk Enterprise

I sees time stamp of the event one day ahead of the current date in search head



Till yesterday it was working everything fine. Suddenly today morning I can see that for jms_ta application for topic events is being displayed with date one day ahead. While for jms queue event is displaying for the correct data but one hour ahead of current time.

Can you please tell me what could be the reason here. However we have not changed anything.


Tags (1)
0 Karma


You haven't specified what time zone you are in, or what time zone your logs are in. Inside of splunk the events are stored in UTC, so it is not unusual to have tomorrow's timestamps if you are in the western hemisphere.... or if the operating system or splunk system THINKS you are in the western hemisphere...

0 Karma


Without log samples it's tough to help. My guess would be timezone issues. If your timestamps don't explicitly indicate a timezone, you should define it in props.conf.

0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!