I am trying to configure timestamp format for a db2diag log file, and I am having trouble reading the timezone since it's in a weird format.
This is what the documentation for db2diag log files says about the timezone:
Timestamps in the db2diag log files contain a time zone. For example: 2006-02-13-14.34.35.965000-300, where "-300" is the difference between UTC (Coordinated Universal Time, formerly known as GMT) and local time at the application server in minutes. Thus -300 represents UTC - 5 hours, for example, EST (Eastern Standard Time).
Is there a way I can make Splunk recognize this as a timezone instead of saying it is an "invalid timezone specifier"?
Have you tried this in props.conf
on your indexer using a sourcetype
stanza header?
#2006-02-13-14.34.35.965000-300
TIME_PREFIX = ^
TIME_FORMAT = %Y-%m-%d-%H.%M.%S.%6N%z
MAX_TIMESTAMP_LOOKAHEAD = 30
I hope you have to add a stanza to related sourcetype in the props.conf in the local directory.
TZ = UTC
if splunk does not recognize the timestamp you have to configure it yourself.
if you dont know to configure the time stamp, you have to add a sample event to your question so that we will help you configure it.
happy splunking!!