Splunk Search

How do you find the difference of an hour in _time and _indextime in Splunk logs?


We have logs being parsed in Splunk which have differences in _indextime and _time of an hour. Please advise how can an event have _indextime exact one hour lesser than _time.

index="splunk_test" |eval indextime=strftime(_indextime,"%Y-%m-%d %H:%M:%S")|eval time=strftime(_time,"%Y-%m-%d %H:%M:%S") | eval diff= indextime-time | table time, indextime

time                                indextime
2019-02-11 01:33:28 2019-02-11 00:33:37
2019-02-11 01:23:28 2019-02-11 00:23:37
2019-02-11 01:22:49 2019-02-11 00:23:07
2019-02-11 01:12:08 2019-02-11 00:12:37
2019-02-11 01:07:48 2019-02-11 00:08:07
2019-02-11 01:05:24 2019-02-11 00:05:37
2019-02-11 01:05:01 2019-02-11 00:05:07
2019-02-11 01:02:39 2019-02-11 00:03:07

Sample data below:-

1:53:28.625 AM  
I0211 01:53:28.625849 13773 catalog-server.cc:241] Catalog Version: 4079 Last Catalog Version: 4079
host =  bda65node01.core.pimcocloud.net source =    /var/log/catalogd/catalogd.bda65node01.core.pimcocloud.net.impala.log.INFO.20190205-071323.12059 sourcetype =   imapalacatalogd
1:43:28.549 AM  
I0211 01:43:28.549252 13


Tags (2)
0 Karma


The most common reason for this problem is that your sourcetype parsing does not have the correct TZ set. Alternatively the TIME_FORMAT might be incorrect. The TZ should be set on the indexer or the first heavy forwarder that the data is sent through.

Here is some more information: https://docs.splunk.com/Documentation/Splunk/7.2.4/Data/Applytimezoneoffsetstotimestamps

All the best

Get Updates on the Splunk Community!

Splunk Cloud | Empowering Splunk Administrators with Admin Config Service (ACS)

Greetings, Splunk Cloud Admins and Splunk enthusiasts! The Admin Configuration Service (ACS) team is excited ...

Tech Talk | One Log to Rule Them All

One log to rule them all: how you can centralize your troubleshooting with Splunk logs We know how important ...

Splunk Security Content for Threat Detection & Response, Q1 Roundup

Join Principal Threat Researcher, Michael Haag, as he walks through: An introduction to the Splunk Threat ...