Splunk Search

How do you find the difference of an hour in _time and _indextime in Splunk logs?


We have logs being parsed in Splunk which have differences in _indextime and _time of an hour. Please advise how can an event have _indextime exact one hour lesser than _time.

index="splunk_test" |eval indextime=strftime(_indextime,"%Y-%m-%d %H:%M:%S")|eval time=strftime(_time,"%Y-%m-%d %H:%M:%S") | eval diff= indextime-time | table time, indextime

time                                indextime
2019-02-11 01:33:28 2019-02-11 00:33:37
2019-02-11 01:23:28 2019-02-11 00:23:37
2019-02-11 01:22:49 2019-02-11 00:23:07
2019-02-11 01:12:08 2019-02-11 00:12:37
2019-02-11 01:07:48 2019-02-11 00:08:07
2019-02-11 01:05:24 2019-02-11 00:05:37
2019-02-11 01:05:01 2019-02-11 00:05:07
2019-02-11 01:02:39 2019-02-11 00:03:07

Sample data below:-

1:53:28.625 AM  
I0211 01:53:28.625849 13773 catalog-server.cc:241] Catalog Version: 4079 Last Catalog Version: 4079
host =  bda65node01.core.pimcocloud.net source =    /var/log/catalogd/catalogd.bda65node01.core.pimcocloud.net.impala.log.INFO.20190205-071323.12059 sourcetype =   imapalacatalogd
1:43:28.549 AM  
I0211 01:43:28.549252 13


Tags (2)
0 Karma


The most common reason for this problem is that your sourcetype parsing does not have the correct TZ set. Alternatively the TIME_FORMAT might be incorrect. The TZ should be set on the indexer or the first heavy forwarder that the data is sent through.

Here is some more information: https://docs.splunk.com/Documentation/Splunk/7.2.4/Data/Applytimezoneoffsetstotimestamps

All the best

Get Updates on the Splunk Community!

Dashboard Studio Challenge - Learn New Tricks, Showcase Your Skills, and Win Prizes!

Reimagine what you can do with your dashboards. Dashboard Studio is Splunk’s newest dashboard builder to ...

Introducing Edge Processor: Next Gen Data Transformation

We get it - not only can it take a lot of time, money and resources to get data into Splunk, but it also takes ...

Take the 2021 Splunk Career Survey for $50 in Amazon Cash

Help us learn about how Splunk has impacted your career by taking the 2021 Splunk Career Survey. Last year’s ...