hello, i"m a newbie in splunk.
i try to display my log file on splunk, but i had a issue here.
this in example for my log file :
2018 Apr 12 13:03:00:000 GMT +0700 Test14
but the displayed time is always added with 7 hours.
can anyone help me?
thanks
Try this in your props:
[source::.../*.log]
TIME_PREFIX = ^
TIME_FORMAT = %b %d %H:%M:%S
MAX_TIMESTAMP_LOOKAHEAD = 16
TZ = Etc/GMT+7
Try to change your timezone in your Account Settings. You must be using GMT and since the event is GMT +7000, Splunk is adjusting the timestamp to your timezone.
Hi. i've already tried to change my timezone to GMT + 07.00 but still no changes on mu log display.
Did you have timezone information in your original props.conf?
TIME_FORMAT = %Y %b %d %H:%M:%S:%3N %Z %z
for using this time format with timezone (%Z), i have to increase the MAX_TIMESTAMP_LOOKAHEAD to 34, right?
i've already tried it also. and still no changes.
my props.conf :
TZ = GMT
TIME_PREFIX = ^
TIME_FORMAT = %Y %b %d %H:%M:%S:%3N %Z %z
MAX_TIMESTAMP_LOOKAHEAD = 34
did i miss something?
You will need to reindex the file to see changes though.
Also you can remove TZ since we get timezone from TIME_FORMAT.
for info, i've already tried using this config on my props.conf but it no works :
TZ = GMT
TIME_PREFIX = ^
TIME_FORMAT = %Y %b %d %H:%M:%S:%3N
MAX_TIMESTAMP_LOOKAHEAD = 24