"Last 15 min" - refers to event time or index time...

splunker12er · ‎08-08-2014

"Last 15 minutes" - Is this referring to index time (or) Events time ?

I have hosts located in different timezones, and my Search head & indexers running in GMT TZ.
So,when I do a search for say.,"Last 15 min" , this refers to GMT's timezones last 15 minute ?

I am referring to this since, i might miss data in my search result as host's event time are in their native TZ format which will not be shown for my search

strive · ‎08-08-2014

Martin has answered your question.

Suppose if you need index time. Use _indextime field.

Example:
index= your_index earliest=-10m@m | dedup _indextime | eval indextime=strftime(_indextime,"%Y-%m-%d %H:%M:%S") | table indextime

martin_mueller · ‎08-08-2014

That refers to the event's time, namely the _time field.

All times in the UI are in the Splunk user's timezone, which defaults to the Search Head timezone.
For indexing other timezones where the event doesn't specify the timezone you can set the timezone for a host in props.conf like this:

[host::some_host]
TZ = timezone

See http://docs.splunk.com/Documentation/Splunk/6.1.3/Admin/propsconf for reference.

If you want to search for the last 15 minutes by index time you can search over all time using this:

_index_earliest=-15m _index_latest=now actual search goes here

"Last 15 min" - refers to event time or index time ?

Platform Newsletter Highlights | March 2023

Enterprise Security Content Updates (ESCU) - New Releases

Thought Leaders are Validating Your Hard Work and Training Rigor