We are seeing some very strange _time fields for events being indexed on Splunk by the CA CEM product that are 6 hours after the event actually happened? How can this be corrected?

Document ID:  TEC1914905
Last Modified Date:  06/19/2017
{{active ? 'Hide' : 'Show'}} Technical Document Details

Products

  • CA Compliance Event Manager

Components

  • CA COMPLIANCE EVENT MANAGER:CEVM
Question:

We are seeing some very strange _time fields for events being indexed on Splunk by the CA CEM product that are 6 hours after the event actually happened? How can this be corrected?

Answer:

With Splunk, if you index data from different time zones, you can use time zone offsets to ensure that they correlate correctly when you search. 

With Splunk you can configure time zones based on the host, source, or source type of an event using the props.conf file in $SPLUNK_HOME/etc/system/local/ or in your own custom application directory in $SPLUNK_HOME/etc/apps/.

Details can be found "Configure timestamps" in the Splunk documentation. 

The "Configure timestamps" section covers the following topics: 

  • Specify time zones for timestamps 
  • How Splunk software determines time zones 
  • Specify time zones in props.conf 
  • Examples of time zone specification in props.conf 
  • zoneinfo (TZ) database 
  • Map timezone strings extracted from event data 
  • Set the time zone for a user's search results 

Please help us improve!

Will this information enable you to resolve your issue?

Please tell us what we can do better.

{{feedbackText.length ? feedbackText.length : '0'}}/255

{{status}}

Not what you were looking for?

Search Again >

Product Information

Support by Product >

Communities

Join a Community >

Chat with CA

Just give us some brief information and we'll connect you to the right CA ExpertCA sales representative.

Our hours of availability are 8AM - 5PM CST.

All Fields Required

connecting

We're matching your request.

Unfortunately, we can't connect you to an agent. If you are not automatically redirected please click here.

  • {{message.agentProfile.name}} will be helping you today.

    View Profile


  • Transfered to {{message.agentProfile.name}}

    {{message.agentProfile.name}} joined the conversation

    {{message.agentProfile.name}} left the conversation

  • Your chat with {{$storage.chatSession.messages[$index - 1].agentProfile.name}} has ended.
    Thank you for your interest in CA.


    Rate Your Chat Experience.

    {{chat.statusMsg}}

agent is typing