Wow thanks for the great explanation! I know sundareshr had also suggested reltime but when I looked at the doc I couldn't understand why it had no argumates - was still thinking I needed to feed it two dates. That does seem to have worked. ... View more

I think there may be an issue with the splunk forwarder assuming the incoming _time values are local instead of UTC. I'm going to see if I can figure out how to get at the raw value because I can't change the forwarder at this time. Thanks for the help! ... View more

Thanks for that. I tried a simplified version which just ave me the UTC time I wanted: eval nowutc=strptime(strftime(now(),"%m/%d/%Y %H:%M:%S UTC"),"%m/%d/%Y %H:%M:%S %Z") | eval result = nowutc - _time But the resultant number is the same as I get from this: eval result=now() - _time I'm starting to think the issue is _time and not now(). Eg., I have a panel showing "Last Event Was 27 Hours Ago" when I have events from 16 hours ago - and I am in UTC+11. All the data files are in JSON format with a _time field, for every event, in UTC. Now I'm thinking splunk is interpreting that as local time... ... View more