Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why is _time for my events showing a 1 hour difference compared to the _raw data?

mprreddy51
Explorer
‎03-02-2016 11:56 AM

Hi ,

Here is my requirement:

In my search, _time is showing 1 hour difference to _raw. Why it is _time is not picking up from the _raw? _time and _raw should be same.

_time                    source                         indexed_time                 latency           index    _raw
2016-03-01 22:31:45.434   p://abc.2016-03-02 06 37 19.log   Tue Mar 1 22:58:09 PST 2016  -1583.565837   abc        2016-03-01T23:31:45.4341630-07:00    [General:Information]   MessageCode=***, Message=Batch Runtime Info - JobId:***Job

Below is the one more sample event on the search head:

Time Event
3/1/16 10:37:19.694 PM 2016-03-01T*23:37:19.6942880-07:00 [General:Information] MessageCode=**, Message=Batch Runtime Info -host = w00000 index = abc source = p://abc.Job.2016-03-02 06 37 19.log sourcetype = abcd

If check indextime vs _time, I am not getting latency (milliseconds latency can be ignored)

please help

Tags (3)
0 Karma
Reply

somesoni2
Revered Legend
‎03-02-2016 01:36 PM

It seems like the timezone of the Search Head server OR timezone for the selected user is not same as the timezone of the data (-07:00). Splunk adjust the _time value, taken from the _raw, to current User's timezone (if selected explicitly) OR to current system (search Head) timezone. I would suggest to change the timezone of the user who is running the search to match the timezone in the data if you want to see the exact _time conversion.

0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – December 2025

Welcome to the December edition of Data Management Digest! As we continue our journey of data innovation, the ...

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...