Getting Data In

Change timezone of timestamps from UTC to AEDT

hemendralodhi
Contributor

Hello,

I am having hard time in understanding timezone assignment to the log event. I went through all the required doc but still doesn't have proper understanding.

My log time stamp look like below, having timezone information as UTC.

2017-10-13 03:08:19.185+0000: starting up

Search Head/Indexer time zone is AEDT (Australia/Sydney). I want to ingest the data where user can search the data based on AEDT timezone only without changing timezone from web interface.

I have done below config in props.conf

TIME_FORMAT=%Y-%m-%d %H:%M:%S.%3N%z%
TZ = UTC

Here's how logs are looking in Splunk. Is this correct? So If user is searching the data he will see the correct result based on time range selected and result will be UTC logs converted to AEDT time zone?

Please help.

alt text

0 Karma

VatsalJagani
SplunkTrust
SplunkTrust

@hemendralodhi - Time shown in search is always based on user time preference.

0 Karma

VatsalJagani
SplunkTrust
SplunkTrust

@hemendralodhi,

As your timestamp extraction configuration looks good, You will always see data based on time-preference specified (if not default is SH machine timezone). It is not dependent on props configuration.

Hope this helps!!!

0 Karma

jnudell_2
Builder

Hi @hemendralodhi ,

When Splunk writes a timestamp to an index at index time, it gets written as an epoch time value, which is unaware of time zone information. At that point, it is up to the search head to present that epoch time value in way that is relevant to the time zone of the user.

As per the docs (https://docs.splunk.com/Documentation/Splunk/latest/Admin/Propsconf) your time zone setting in props.conf of TZ = UTC does not do anything because there is time zone information in the event itself, which takes precedence.

From your image, it looks like the event is being displayed by a user who has their time zone set to GMT (UTC). But it's also confusing because the date_zone value suggests that the events have been written as GMT+11:00. There is something odd going on there. If it were written as GMT+11:00 the time stamp in your event would not match the event time value.

I understand that you may not want to set the time zone in the web interface, but that is the best way to do it. If you modify the timestamp values as they're written at index time, you're not going to have good results down the road because this is not best practice, and is inconsistent with the way Splunk tracks time.

If the search head is set as AEDT, then by default any user who does not set his time zone setting will be using the time zone of the search head.

0 Karma

jawaharas
Motivator

Timezone configured in Search head (for a particular user) is independent of log event's timezone that are indexed in Indexers.

For example,

#--props.conf
TZ = UTC

If above configuration exists in indexer or heavy-forwarder's 'props.conf' file, the log events will be indexed in UTC timezone. But while the the logs are accessed through search-head (which is configured in AEDT timezone), the timezone conversion will be applied automatically and you see the logs in AEDT timezone.

0 Karma

jnudell_2
Builder

TZ only works if there is no time zone information in the event itself. The provided sample event clearly has a time zone value (+0000), so TZ = UTC is disregarded.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...