Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

"Last 15 min" - refers to event time or index time ?

splunker12er
Motivator
‎08-08-2014 01:35 AM

"Last 15 minutes" - Is this referring to index time (or) Events time ?

I have hosts located in different timezones, and my Search head & indexers running in GMT TZ.
So,when I do a search for say.,"Last 15 min" , this refers to GMT's timezones last 15 minute ?

I am referring to this since, i might miss data in my search result as host's event time are in their native TZ format which will not be shown for my search

0 Karma
Reply

strive
Influencer
‎08-08-2014 02:36 AM

Martin has answered your question.

Suppose if you need index time. Use _indextime field.

Example:
index= your_index earliest=-10m@m | dedup _indextime | eval indextime=strftime(_indextime,"%Y-%m-%d %H:%M:%S") | table indextime

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎08-08-2014 01:45 AM

That refers to the event's time, namely the _time field.

All times in the UI are in the Splunk user's timezone, which defaults to the Search Head timezone.
For indexing other timezones where the event doesn't specify the timezone you can set the timezone for a host in props.conf like this:

[host::some_host]
TZ = timezone

See http://docs.splunk.com/Documentation/Splunk/6.1.3/Admin/propsconf for reference.

If you want to search for the last 15 minutes by index time you can search over all time using this:

_index_earliest=-15m _index_latest=now actual search goes here
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Reprocessing XML into Fixed-Length Events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Data Management Digest – December 2025

Welcome to the December edition of Data Management Digest! As we continue our journey of data innovation, the ...

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...