Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Timezone affecting logs date in Splunk

zongwei
New Member
‎10-31-2018 01:20 AM

Hi,

My timezone is GMT+8, and this caused logs captured in Splunk to always be 8 hours ago.

For instance:
Time log is captured: 2018-10-31 16:17:30,241
Time shown on splunk: 2018-10-31 08:17:30,241

I have tried configuring TZ in props.conf but it does not seem to work. here is snippet of my props.conf

[source]
TIME_FORMAT = %Y-%m-%d %H:%M:%S,%3N
TZ = Asia/Singapore

Thanks for your help!

0 Karma
Reply

VatsalJagani
SplunkTrust
SplunkTrust
‎11-02-2018 02:27 AM

Hi @zongwei,
Please try below configuration.

props.conf

[source::source-name]
TIME_FORMAT = %Y-%m-%d %H:%M:%S,%3N
TZ = Timezone of event source system where the event is generated (If time in log event is in UTC/GMT then do not specify this option)

Set your timezone into Splunk by going User Setting (above Logout option) -> Timezone

0 Karma
Reply

burwell
SplunkTrust
SplunkTrust
‎10-31-2018 09:46 PM

Hello @zongwei. It appears that the props you have for you time format

TIME_FORMAT = %Y-%m-%d %H:%M:%S,%3N

Doesn't match the time in the logs

2018-11-01T03:04:33.916+08:00
  1. The time would need to include the letter T after the day of the month
  2. You have %S,%3N for seconds which is seconds + a comma + 3 digits of subseconds. But your logs have a seconds then a period then 3 subseconds
  3. You would need to have a timezone that include the +08:00 (use %:z I believe)
0 Karma
Reply

zongwei
New Member
‎10-31-2018 10:12 PM

Hi @burwell,

I am using TIME_FORMAT = %Y-%m-%d %H:%M:%S,%3N because the date of the log that I want the event to be split is 2018-11-01 04:59:40,965

Example of an event

0 Karma
Reply

burwell
SplunkTrust
SplunkTrust
‎11-01-2018 10:12 PM

Oh I misunderstood the issue. Also I can't see the example (I see a broken image)

So it sounds to me like perhaps your user profile has a time setting so you are showing the events in a different timezone:

http://docs.splunk.com/Documentation/Splunk/7.2.0/Security/ConfigureuserswithSplunkWeb

When I look at this:
http://docs.splunk.com/Documentation/Splunk/7.2.0/Data/Applytimezoneoffsetstotimestamps

You are providing the time info and the timezone data.

0 Karma
Reply

zongwei
New Member
‎10-31-2018 08:15 PM

Additonal info:

For every event log, there is the _time field. Example of a _time field:

2018-11-01T03:04:33.916+08:00

It seems that Splunk does know that the time is short by 8 hours, but the logs display ignored the +08:00 behind the _time field.

Is there anyway to workaround with this to display the correct time? Thank you!

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...