Splunk Search

Splunk showing 2 different times

New Member

Hello! in the process of checking time on our Splunk server, I came up with some puzzling results.

If I do a search query on my search head, I get this result: 2019-10-01T08:16:00-0400
Query is: * | stats count | eval clock = strftime(time(), "%Y-%m-%dT%H:%M:%S%z") | table clock

If I query through the Splunk API, I get this results: 1969-12-31T19:00:00-05:00
rest /services/server/info | eval updated_t=round(strptime(updated, "%Y-%m-%dT%H:%M:%S%z"), 2)

That's a 50 year difference! Any help greatly appreciated.

0 Karma


In most Splunk REST queries, the updated field is zero. I've rarely seen it populated and wouldn't rely on it for anything.

If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...