How Splunk stores time

Once the date is parsed, the date stored in Splunk is always stored as a GMT epoch. Epoch time is the number of seconds since January 1, 1970. By storing all events using a single time zone, there is never a problem lining up events that happen in different time zones. This, of course, only works properly if the time zone of the event can be determined when it is indexed. This numeric value is stored in the field _time.