HI @Becherer ,
_time is always stored in the Splunk indexes as an epoch time value. When you use _time in a search, Splunk assumes you want to see a human-readable time value, instead of an epoch time number of seconds. It also assumes that you want to see this human readable time value in the current time zone of the user account that is currently logged in.
If you want to see the actual epoch time value, you can use eval to create an epoch time representation instead:
| eval time_epoch = strftime(_time, "%s")
As @mdsnmss suggested, you could also do
| eval epoch1 = _time
Which also works, because Splunk only makes the human readable assumption for _time, and anything else that you set to _time will be a epoch time value.
I hope this helps.
... View more