Getting Data In

How to change the time format before or while logs are being parsed?

Makinde
New Member

I have a database log that comes in with a time stamp which is used by Splunk as the time stamp. However, I noticed the time is in UTC which is neither my time zone nor the time zone the server is in, but somehow the Database admin can't change the time reported in the raw log.

Is there a way to have Splunk convert the time to MST or its own time zone that matches that of my other logs? Can I put this in the props.conf file so it's done on the indexers before the logs are searched?

What command/string can I put in the props.conf file to make this change?

Thanks,

0 Karma
1 Solution

woodcock
Esteemed Legend

There is no reason to do this. Splunk internally normalizes all times to UTC anyway. Furthermore, it re-normalizes them to your configured user Time zone setting whenever you interact with Splunk. Therefore, as long as you have configured TZ correctly in props.conf and also your Edit Account -> Time zone setting, everything should be handled seamlessly as you would like it to.

View solution in original post

woodcock
Esteemed Legend

There is no reason to do this. Splunk internally normalizes all times to UTC anyway. Furthermore, it re-normalizes them to your configured user Time zone setting whenever you interact with Splunk. Therefore, as long as you have configured TZ correctly in props.conf and also your Edit Account -> Time zone setting, everything should be handled seamlessly as you would like it to.

Makinde
New Member

How do you configure TZ in Props, is it;

TZ = US/Mountain

Can I also get Splunk to ignore the time stamp in the log and use the time it received the log as the time stamp?

0 Karma

woodcock
Esteemed Legend

That setting is correctly formatted but keep in mind that it does not CHANGE anything, it informs the indexer what TZ to apply to the time found inside those events (if there is no TZ attached to the timestamp inside the event). You can get Splunk to use _indextime as the timestamp with this:

DATETIME_CONFIG = CURRENT
0 Karma

Makinde
New Member

Thanks Woodcock.

After looking at the logs, it appears there is no TZ attached to the timestamp. Here is what the timestamp in the log look like;

2016-06-08T18:01:36.293126Z

Looking at this setting, do you think I need to add "TZ = UTC" to the props.conf file?

0 Karma

woodcock
Esteemed Legend

I think that Z is probably Zulu which means GMT (UTC). You should use this (with no TZ config):

TIME_FORMAT = %Y-%m-%dT%H:%M:%S%6N%z
TZ_ALIAS = Z=UTC
0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...