Splunk time and the event time does not match. There is a 5 hour difference.
How to get both the timestamps under the same timezone?
Please assist.
Assuming your user is in Central US, then those timestamps represent the same time. The event occurred when it was 1:40 PM in London, and 8:40 AM in Chicago.
If the event time is NOT originally in UT/GMT, then it is reporting incorrectly; the Z in the event's timestamp is incorrect. You can correct that with transforms, assuming that the source is consistent about how much off it is reporting the time.
hello there:
read here:
https://docs.splunk.com/Documentation/Splunk/6.6.1/Data/Applytimezoneoffsetstotimestamps
it explains it better than i do
hop it helps
Your raw event has Z
in the place where you specify timezone which indicates Splunk that the login TZ is GMT. Your Splunk server/user timezone is CDT so _time is adjusted to show with current timezone.
One of the options to correct the timezone display for specific user is to navigate to logged user's Account Menu and choose Edit Settings Or Account Settings options and then change the Time zone to set it Eastern Time (US & Canada) to account for 5 hours difference.
Following has the screenshot of where the Account Menu is location in Splunk Web: http://docs.splunk.com/Documentation/Splunk/latest/Search/NavigatingSplunkWeb#Account_menu
Tried this option but did not work at all, do I need to restart splunk after the change?
Also, do I need to make these changes on the search head or the indexer?
Try changing your user TZ to GMT (same as what raw data is logged with). That way they'll both show same timestamp. No restart is required and it should be done on Search Head.