We are in EST and all data from Google in in UTC, so all of our data was four hours off: index=<your gcp index> |
eval indextime=strftime(_indextime,"%Y-%m-%d %H:%M:%S") |
eval delta = _indextime - _time |
table sourcetype, _time, _indextime, indextime, delta |
sort indextime desc sourcetype _time indextime delta google:gcp:pubsub:message 2021-09-14 21:13:45.381 2021-09-14 17:13:48 -14397.381004 google:gcp:pubsub:message 2021-09-14 21:13:47.272 2021-09-14 17:13:47 -14400.272801 google:gcp:pubsub:message 2021-09-14 21:13:46.430 2021-09-14 17:13:47 -14399.43 jofret, is this the change you made? Edit file /opt/splunk/etc/apps/Splunk_TA_google-cloudplatform/local/props.conf [google:billing:json]
TZ = UTC
[google:billing:csv]
TZ = UTC
[google:gcp:billing:report]
TZ = UTC
[google:gcp:pubsub:message]
TZ = UTC
[google:gcp:pubsub:audit:auth]
TZ = UTC
[google:gsuite:pubsub:audit:auth]
TZ = UTC
[google:gcp:gsuite:admin:directory:users]
TZ = UTC
[google:gcp:buckets:xmldata]
TZ = UTC
[google:gcp:buckets:jsondata]
TZ = UTC
[google:gcp:buckets:*data]
TZ = UTC
[google:gcp:compute:instance]
TZ = UTC
[google:gcp:compute:vpc_flows]
TZ = UTC After refreshing the heavy forwarder this Splunk add is running on the the issue seems to be resolved. sourcetype _time indextime delta google:gcp:pubsub:message 2021-09-14 17:20:38.147 2021-09-14 17:20:39 0.852020 google:gcp:pubsub:message 2021-09-14 17:20:38.146 2021-09-14 17:20:39 0.853950 google:gcp:pubsub:message 2021-09-14 17:20:38.097 2021-09-14 17:20:39 0.902150
... View more