There is something wrong (or not obvious from the documentation) with how `collect` takes timezones.
`_time` fields should be stored in unixtime, right?
I have a report which does a long search and I use `collect` to take a `_time` and I use `addtime=t` to use that `_time` in the new field.
The original timestamp is stored as:
`2019-07-29 23:16:51.884 INFO ...` in `_raw` (UTC). And its `timestamp` field is set to `2019-07-29 23:16:51.884` (UTC) and in my browser, the `_time` is set as `2019-07-29T16:16:51.884-07:00`. That's all correct.
When I use `collect` and use that `_time`, it gets stored as `2019-07-29 23:16:51.884` in the `_raw`, `2019-07-29 23:16:51.884` in the `timestamp` field, but it incorrectly uses `2019-07-29T23:16:51.884-07:00` for `_time`. I don't know why it's using that timezone when it's passing the `_time` (which I thought was unixtime, which is always UTC).
How can I correct for this bug in Splunk?
↧