I have selected the Time stamp format %b %d %H:%M:%S CET %Y
for one of the source-types.
I would like to change it in such a way, so that it can handle both CET
and CEST
.
not sure, but, did you try, TZ by this format in props?
TZ = Europe/London
and, are the Universal forwarders and search head are in same timezone?
one more question - why two timezones in a single log file?
also when i searched, it says CEST is not used nowadays at all.
https://www.timeanddate.com/time/zones/cest
Have you tried %b %d %H:%M:%S %Z %Y
?
Its not working as expected.
Date format in the event:-
Wed Aug 23 16:44:28 CEST 2016
Wed Aug 23 16:46:20 CET 2016
Props.conf settings:-
Timestamp format = %b %d %H:%M:%S CET %Y
Timestamp prefix = \s+\w+\s+
If i use `CET` or `CEST` in `Timestamp format`, the date and time are extracted properly.
But if i use %Z in the place of CET or CEST:-
Timestamp format = %b %d %H:%M:%S %Z %Y
The Hours field is showing two hours less for both CEST and CET.
When you say Hours field is showing two hours less then CEST, is it the _time value in search?? What timezone your Indexers are in and what is the time zone of user from which you're running the search?
Events come with the following hard-coded date format.
Wed Aug 23 16:44:28 CEST 2016
Wed Aug 23 16:46:20 CET 2016
In Props.conf settings:-
Timestamp format = %b %d %H:%M:%S CET %Y
Timestamp prefix = \s+\w+\s+
If i use CET
or CEST
in Timestamp format
, the date and time are extracted properly into _time field.
I want to make this generic,so that it works with CET or CEST.
But if i use %Z in the place of CET or CEST, the hours field is not extrached properly into _time field for both CEST and CET.
Timestamp format = %b %d %H:%M:%S %Z %Y
The _time field is not getting proper values when i change the time zone from where i am running my search.
The events comes with the following date format. It has CET or CEST hard-coded in the event.
Wed Aug 23 16:44:28 CEST 2016
Wed Aug 23 16:46:20 CET 2016
In Props.conf settings:-
Timestamp format = %b %d %H:%M:%S CET %Y
Timestamp prefix = \s+\w+\s+
If i use CET
or CEST
in Timestamp format
, the date and time are extracted properly into _time field.
I want to make this generic ,so that it can handle both CET and CEST.
But if i use %Z in the place of CET or CEST, the Hours field in _time is showing wrong hours for both CEST and CET.
Timestamp format = %b %d %H:%M:%S %Z %Y
I'm tempted to suggest using TZ_ALIAS
, but I'm not sure it will help.