Hi,
I have a log that it has the format below, I need his GMT to be -3h.
That is, in the log file the time is (2019-12-08 06: 03: 54.463), however I need it to be indexed in splunk as (2019-12-08 03: 03: 54.463)
(2019-12-09 08:04:57.618) (2019-12-08 12:47:17.125)
easy_init.27964 (thread #0, tid: 40920) (trace:0) (proc_launch): Process easy_log successfully launched (31412)
(2019-12-09 08:04:57.665) (2019-12-09 08:04:57.649)
easy_init.exe.27964 (trace:4) (proc_launch): Process dbmon.oci successfully launched (19320)
(2019-12-09 08:04:58.571) (2019-12-09 08:04:58.571)
tsrv.exe.18260 (trace:0) ([ trace: disabled ] version '8.4' [ build 0 (Jun 11 2019 11:11:18) Update 1220 ]): information
(2019-12-09 08:04:58.571) (2019-12-09 08:04:58.571)
tsrv.exe.45784 (trace:0) ([ trace: disabled ] version '8.4' [ build 0 (Jun 11 2019 11:11:18) Update 1220 ]): information
The regex below correctly indicates the events, however with the times are not gmt -3h
LINE_BREAKER=([\r\n]+)
NO_BINARY_CHECK=true
SHOULD_LINEMERGE=true
TIME_FORMAT=%Y-%m-%d%t%H:%M:%S.%3N
TIME_PREFIX=^\(
disabled=false
pulldown_type=true
Set the TZ parameter in the props.conf.
Here's the documentation
TZ = <timezone identifier>
* The algorithm for determining the time zone for a particular event is as
follows:
* If the event has a timezone in its raw text (for example, UTC, -08:00),
use that.
* If TZ is set to a valid timezone string, use that.
* If the event was forwarded, and the forwarder-indexer connection uses
the version 6.0 and higher forwarding protocol, use the timezone provided
by the forwarder.
* Otherwise, use the timezone of the system that is running splunkd.
* Default: empty string
https://docs.splunk.com/Documentation/Splunk/8.0.0/Admin/Propsconf
In the props.conf stanza for the sourcetype, add TZ
to tell Splunk the time zone.