Splunk® Cloud Services

SPL2 Search Manual

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Time zones

The Splunk platform processes time zones when data is indexed and when data is searched.

When data is indexed, the Splunk indexer looks for a timestamp in each event. The timestamp might be in one of several formats, as shown in the following table:

Type of timestamp Timestamp example Description
UNIX time 1523644307 In seconds
1523644307000 In milliseconds
Human-readable format 04/13/2020 11:45:30 PDT US Pacific Daylight Time, the timezone where Splunk Headquarters is located.
Friday, April 13, 2020 11:45:30 AM GMT -07:00 A timestamp with an offset from GMT (Greenwich Mean Time)
2020-04-13T11:45:30-07:00 or 2020-04-13T11:45:30Z A timestamp expressed in UTC (Coordinated Universal Time)
Local time with no time zone 10:55AM The local time is interpreted as the same time zone as the Splunk indexer where the data is indexed.

Sometimes you might see a timestamp expressed as UTC-7 or UTC+3, which is UTC with the offset from GMT. For example 2020-04-13T11:45:30-07:00 could be expressed as UTC-7. The -0700 in the timestamp equates to the -7 in UTC-7.

During Daylight Savings Time (DST) in the United States, the -7 offset equates to the Pacific Daylight Time (PDT). San Francisco is in the Pacific timezone. When the United States returns to Standard time, the -8 offset equates to the Pacific Standard Time (PST).

Timestamps are stored in UNIX time

Regardless of how time is specified in your events, timestamps are converted to UNIX time and stored in the _time field when your data is indexed. If your data does not have timestamps, the time at which your data is indexed is used as the timestamp for your events.

UNIX time is the number of seconds that have elapsed since 00:00:00 Coordinated Universal Time (UTC), 1 January 1970. This moment in time is sometimes referred to as epoch time.

GMT and UTC

GMT (Greenwich Mean Time) is sometimes confused with UTC (Coordinated Universal Time). However GMT is a time zone and UTC is a time standard.

  • GMT is a time zone officially used in some European and African countries as their local time. The time is displayed in either the 24-hour format (00:00-23:59) or the 12-hour format (00:00-12:00 AM/PM).
  • UTC is a time standard that is the basis for time and time zones worldwide. No country uses UTC as a local time.
  • Neither GMT nor UTC ever change for Daylight Saving Time (DST). However, some of the countries that use GMT switch to different time zones during their DST period. For example, the United Kingdom uses GMT for most of the year, but switches to British Summer Time (BST) during the summer months. BST is one hour ahead of GMT.

What time zone is used for timestamps

When data is indexed and added to your Splunk instance, the Splunk indexer assumes that any timestamps in the data are in the same time zone as your Splunk instance.

Let's use a set of test data that contains 35 events with various timestamps. The data looks something like this:

timestamp test_no
01 Oct 2021 00:00 tz_test0
01 Oct 2021 00:15 tz_test1
01 Oct 2021 01:00 tz_test2
01 Oct 2021 01:30 tz_test3
01 Oct 2021 01:45 tz_test4
01 Oct 2021 02:00 tz_test5
01 Oct 2021 02:30 tz_test6

The values in the timestamp field in the sample data file are converted to UNIX time and stored in the _time field when the data is indexed. However, for display purposes the values in the _time field are shown in a human-readable format.

How time is interpreted when you search

When you specify a time in your search, either by using the time range picker or using time modifiers, the time that you specify is converted into UNIX time for processing. See Select time ranges to apply to your search and Specify time modifiers in your search.

Because event timestamps are stored in UNIX time, your searches return a consistent set of results regardless of the time zone you are in.

For example, if you search from 12:00 to 14:00 PDT (Pacific Daylight Time), that is the same as searching from 19:00 to 21:00 GMT (Greenwich Mean Time) which is 7 hours ahead of PDT. When daylight saving time is over, Pacific Standard Time (PST) is used. The difference between GMT and PST is 8 hours.

In Splunk user interfaces, the values in the _time field appear in a human-readable format in the UI. However, the values in the _time field are actually stored in UNIX time.

How time zones impact search results

The time range that you specify for a search might return different sets of events in different time zones. This can occur for time ranges that you specify using the time range picker and time ranges that you specify explicitly in the search with the earliest and latest time modifiers, Here are some examples:

  • If you use Last 24 hours time range picker setting, the search processes the events using UNIX time. The same set of events are returned for a user in San Francisco and a user in Tokyo.
  • If you use a time range that refers to a time associated with today such as Since 00:00:00, the search processes events based on midnight of your time zone, not UNIX time. A different set of events are returned for a user in San Francisco and a user in Tokyo, because the time that midnight occurs is different in each timezone. There are several settings in the time range picker that fall into this category, such as the Preset setting Today and the Date Range setting Since <today's date>.
  • If you use a snap-to time, such as @d or @mon, the search processes events based on the beginning of the day or month of your timezone, not UNIX time. A different set of events are returned for a user in San Francisco and a user in Tokyo, because the beginning of a day or month in one time zone is not the same UNIX time as the beginning of a day in another time zone.

To mitigate the issues with time zones, specify time based on the time zone where the Splunk indexer resides.

See also

Related information
Timestamps and time ranges
Time modifiers
Specifying relative time
Last modified on 18 July, 2022
PREVIOUS
Using time variables 		  NEXT
Lexicographical order

This documentation applies to the following versions of Splunk® Cloud Services: current

Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters