Splunk Search
Highlighted

How to avoid changing timezone to get proper results?

Path Finder

Hi all,
Generating some calls logs from different timezones America , ASIA, UK and so on.
So I am running a search which gives me wrong results when I keep timezone to my local (GMT-08:00) Pacific Time (US & Canada) and when I change the timezone to there dependent timezones from preferences then I get proper results.

My latest event time log from is: 2019-07-24T13:03:58.000-07:00

My current time : in (GMT-08:00) Pacific Time (US & Canada) = Wed 1:36 pm now

How do I solve this problem?
Any help please.

0 Karma
Highlighted

Re: How to avoid changing timezone to get proper results?

SplunkTrust
SplunkTrust

what is your desired outcome?
you can always use the _indextime field if data arrives in a timely fashion

0 Karma
Highlighted

Re: How to avoid changing timezone to get proper results?

SplunkTrust
SplunkTrust

Since you're asking about CallManager CDR data, it's very important to realize that the time in that data, is extracted from an epochtime value.

This means there is no TZ info used or needed at all during index time. Splunk stores time as epochtime (number of seconds since the epoch), and Splunk sees the epochtime values in the file (see TIMEPREFIX and TIMEFORMAT) so all is well. It just uses the epochtime listed in the raw csv, and no matter what timezone splunk thinks it in, it'll index the data the same way.

I think what you're seeing in terms of right results and wrong results, is that
-- the time picker itself, when you pick "last 7 days". doesn't just do exactly 7 days ago to now, it does "-7d@d" to now. Note the "@d". This means "round down to the nearest day, using current TZ preference)". So it will get different results in different time ranges because you're telling it to search a longer or shorter timerange.

However also it can be confusing that some parts of the Splunk search language also incorporate what the current timezone is.
| eval hour_of_day=strftime(_time,"%H")
is a good example. So in some cases with complex reports, there can be calculations internal to the SPL that will work out differently depending on timezone.

hth

View solution in original post

0 Karma
Highlighted

Re: How to avoid changing timezone to get proper results?

Esteemed Legend

I find it amusing that your original subject/title says exactly what is my answer. That is exactly what your personal timezone setting does. That is the whole point. It is unclear why you posted this.

0 Karma