Why is _time for my events showing a 1 hour differ...

mprreddy51 · ‎03-02-2016

Hi ,

Here is my requirement:

In my search, _time is showing 1 hour difference to _raw. Why it is _time is not picking up from the _raw? _time and _raw should be same.

_time                    source                         indexed_time                 latency           index    _raw
2016-03-01 22:31:45.434   p://abc.2016-03-02 06 37 19.log   Tue Mar 1 22:58:09 PST 2016  -1583.565837   abc        2016-03-01T23:31:45.4341630-07:00    [General:Information]   MessageCode=***, Message=Batch Runtime Info - JobId:***Job

Below is the one more sample event on the search head:

Time Event
3/1/16 10:37:19.694 PM 2016-03-01T*23:37:19.6942880-07:00 [General:Information] MessageCode=**, Message=Batch Runtime Info -host = w00000 index = abc source = p://abc.Job.2016-03-02 06 37 19.log sourcetype = abcd

If check indextime vs _time, I am not getting latency (milliseconds latency can be ignored)

please help

somesoni2 · ‎03-02-2016

It seems like the timezone of the Search Head server OR timezone for the selected user is not same as the timezone of the data (-07:00). Splunk adjust the _time value, taken from the _raw, to current User's timezone (if selected explicitly) OR to current system (search Head) timezone. I would suggest to change the timezone of the user who is running the search to match the timezone in the data if you want to see the exact _time conversion.

Why is _time for my events showing a 1 hour difference compared to the _raw data?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life