Hi,
Intro:
I understand that splunk populates the _time field at index time, from valid date strings in the raw event data. This time is parsed as Unix Utc time, but it is displayed to Local time in Splunk Web.
Problem:
I know how I would go about evaluating a new DisplayUtcTime field to use during my queries. I want to know however how to produce timecharts (with the TimeChart command) plotted(displayed) with Utc rather than Local time.
[Again, I am aware that I can produce a similar result while using chart command if I say "over DisplayUtcTime", but I like the feature of timechart command that it automatically produces a sensible time span depending on the time range of your search]
Use Case:
More specifically, I use Splunk.Client C# Sdk to send search queries (jobs), and whenever I receive any kind of time results back (TimeCharts, Latest(_time), etc.) I always receive them to Local Time. Is there a way to specify through the sdk (or directly on the queries) that I want the results in UTC ?
[Note: I don't really have access to the splunk config file, neither I can make any admin changes through the enterprise account.]
Please correct me if I am making any false assumptions at any point. Thank you.
... View more