We are seeing some very strange _time fields for events being indexed on Splunk by the CA CEM product that are 6 hours after the event actually happened? How can this be corrected?

We are seeing some very strange _time fields for events being indexed on Splunk by the CA CEM product that are 6 hours after the event actually happened? How can this be corrected?

Article Id: 14917

Status: Published

Updated On: 14-02-2018 08:05

Legacy Id: TEC1914905

Products:

CA Compliance Event Manager

Issue/Introduction:

We are seeing some very strange _time fields for events being indexed on Splunk by the CA CEM product that are 6 hours after the event actually happened? How can this be corrected?

Environment:

Release:
Component: CEVM

Resolution:

With Splunk, if you index data from different time zones, you can use time zone offsets to ensure that they correlate correctly when you search.

With Splunk you can configure time zones based on the host, source, or source type of an event using the props.conf file in $SPLUNK_HOME/etc/system/local/ or in your own custom application directory in $SPLUNK_HOME/etc/apps/.

Details can be found "Configure timestamps" in the Splunk documentation.

The "Configure timestamps" section covers the following topics:

Specify time zones for timestamps
How Splunk software determines time zones
Specify time zones in props.conf
Examples of time zone specification in props.conf
zoneinfo (TZ) database
Map timezone strings extracted from event data
Set the time zone for a user's search results