Getting Data In

Timezone affecting logs date in Splunk

zongwei
New Member

Hi,

My timezone is GMT+8, and this caused logs captured in Splunk to always be 8 hours ago.

For instance:
Time log is captured: 2018-10-31 16:17:30,241
Time shown on splunk: 2018-10-31 08:17:30,241

I have tried configuring TZ in props.conf but it does not seem to work. here is snippet of my props.conf

[source]
TIME_FORMAT = %Y-%m-%d %H:%M:%S,%3N
TZ = Asia/Singapore

Thanks for your help!

0 Karma

VatsalJagani
SplunkTrust
SplunkTrust

Hi @zongwei,
Please try below configuration.

props.conf

[source::source-name]
TIME_FORMAT = %Y-%m-%d %H:%M:%S,%3N
TZ = Timezone of event source system where the event is generated (If time in log event is in UTC/GMT then do not specify this option)

Set your timezone into Splunk by going User Setting (above Logout option) -> Timezone

0 Karma

burwell
SplunkTrust
SplunkTrust

Hello @zongwei. It appears that the props you have for you time format

TIME_FORMAT = %Y-%m-%d %H:%M:%S,%3N

Doesn't match the time in the logs

2018-11-01T03:04:33.916+08:00
  1. The time would need to include the letter T after the day of the month
  2. You have %S,%3N for seconds which is seconds + a comma + 3 digits of subseconds. But your logs have a seconds then a period then 3 subseconds
  3. You would need to have a timezone that include the +08:00 (use %:z I believe)
0 Karma

zongwei
New Member

Hi @burwell,

I am using TIME_FORMAT = %Y-%m-%d %H:%M:%S,%3N because the date of the log that I want the event to be split is 2018-11-01 04:59:40,965

Example of an event

0 Karma

burwell
SplunkTrust
SplunkTrust

Oh I misunderstood the issue. Also I can't see the example (I see a broken image)

So it sounds to me like perhaps your user profile has a time setting so you are showing the events in a different timezone:

http://docs.splunk.com/Documentation/Splunk/7.2.0/Security/ConfigureuserswithSplunkWeb

When I look at this:
http://docs.splunk.com/Documentation/Splunk/7.2.0/Data/Applytimezoneoffsetstotimestamps

You are providing the time info and the timezone data.

0 Karma

zongwei
New Member

Additonal info:

For every event log, there is the _time field. Example of a _time field:

2018-11-01T03:04:33.916+08:00

It seems that Splunk does know that the time is short by 8 hours, but the logs display ignored the +08:00 behind the _time field.

Is there anyway to workaround with this to display the correct time? Thank you!

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...