timezone issue with custom log time date stamp

ebailey · ‎06-04-2014

I have a log with a custom time date stamp. I am running into an issue where the index time is exactly one hour ahead of the event time stamp in the log. Could this be an issue with how I defined the date stamp in my props? I should add that the application server and the splunk server are set to use CST and have the correct system time.

Here is a time stamp from the log

2014-06-04T11:38:15.190 CST

My props for the time stamp

[prd_ufo_stats]
TIME_PREFIX = ^
MAX_TIMESTAMP_LOOKAHEAD = 20
TIME_FORMAT = %Y-%m-%dT%H:%M:%S:%3N %Z
LINE_BREAKER = ([\r\n]+)
SHOULD_LINEMERGE = False
TRUNCATE = 100000
KV_MODE = None

Thanks!

jarjoh42 · ‎06-04-2014

This doc should help fix your time stamp issue

http://docs.splunk.com/Documentation/Splunk/6.1.1/Data/ApplyTimezoneOffsetsToTimeStamps

ebailey · ‎06-04-2014

Missing something- the props for this sourcetype is on the search head so I made the change and added "TZ = US/Central" and then restarted the search head with no difference.

Do I need to drop %Z from the timestamp defined in props? Everything involved with the data stream is in CST so I am not sure why this is the issue other than the custom time date stamp.

k_harini · ‎01-17-2018

Did this work? I'm facing same issue

timezone issue with custom log time date stamp

Introducing the Splunk Community Dashboard Challenge!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...