Solved: splunk detects _time right, but displays it wrong

horsefez · ‎12-21-2015

Hi,

I have an issue with the _time field in Splunk.

An event like this gets into Splunk.

While the date_hour, date_minute and date_second fields are extracted correctly the _time field doesn't display the time correctly.
8:05 AM is not 10:05 in european format.

The sourcetype for these events is specified as following

Somehow the _time field does not show the correct timestamp.

What can I do?

jmallorquin · ‎12-21-2015

Hi,

The problem is the timezone (is not time format), that you have selected. Probably your rol isn't in the same time zone.

Regards,

View solution in original post

Dworsnop · ‎08-20-2018

Sorry to resurrect this post but it describes the same problem I'm having and I can't seem to get it working.
(I'm using Splunk Enterprise v6.6.8)

I created an input using DB Connect 2.4.0 and at the point of setting the Metadata for my DB input my source and sourcetype didn't exist, so I typed them into the boxes and all appeared well. Until of course I realise that my input is using a 'UTCDateTime' field from my original source as its timestamp however it is being displayed another hour behind UTC for some reason. ** I'm in the UK so our current local time is UTC+1. ** The user that the DB Connect Inputs runs as is set to "Default System Timezone", I have checked the date/time for the HF on which DB Connect resides and it is correct (UTC+1).

I then set about creating the sourcetype on my SH, Indexer and HF, setting the Timestamp to Auto. My data is still being indexed with a timestamp an hour behind the time specified in the original UTCDateTime field.

I haven't tinkered with any props.conf files or anything like that yet.

Any ideads where I've gone wrong, do I need to restart any/all of the servers for the sourcetype to work?

Dworsnop · ‎08-28-2018

Just closing this off now as I've fixed my problem. I'm now pointing to the LocalDateTime column as the timestamp which my SH automatically changes to UTC as per all other logs so it's consistent throughout.
Happy days.

FrankVl · ‎08-28-2018

What you could have done instead, is set the timezone in the db connect connection to UTC. If you use a UTC column to get the time, you need to tell Splunk it is UTC, otherwise it will interpret it based on the forwarder's local timezone (in your case UTC+1).

Dworsnop · ‎08-28-2018

When you say "set the timezone in the db connect connection to UTC", where exactly would I do this? I can't see an option for setting the timezone of a DB connection.
Thanks

FrankVl · ‎08-28-2018

Here:

Dworsnop · ‎08-28-2018

Ah thanks FrankVI. From the looks of your screenshot you must be using a more-up-to-date version of DB Connect than me (2.4.0).
Maybe time I did an upgrade!

FrankVl · ‎08-28-2018

Yeah, I'm running 3.1.3 here.

Maybe you could still set it through a props.conf as you would normally do with timezone settings, but not sure if that works for db connect inputs.

Dworsnop · ‎08-28-2018

No, from reading the Splunk Docs it doesn't appear possible in this version.

Happy to be proven wrong though...

FrankVl · ‎08-28-2018

props.conf is independent from DB Connect version right? There must be some way to tell Splunk how to interpret timezones...

jmallorquin · ‎12-21-2015

Hi,

The problem is the timezone (is not time format), that you have selected. Probably your rol isn't in the same time zone.

Regards,

horsefez · ‎12-21-2015

Oh, ok do you think its wrong because the free cloud is hosted in usa an I live in germany?

jmallorquin · ‎12-22-2015

No, the problem is that you set a timezone in the logs and your user (admin) have the default timezone

If you go to settings >> Access control >> users and in your user set the same timezone that you configure in the logs, you will get the correct time.

Hope help you

horsefez · ‎12-22-2015

Thank you, I found it! ♥

splunk detects _time right, but displays it wrong

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes