Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Timezone affecting logs date in Splunk

zongwei
New Member
‎10-31-2018 01:20 AM

Hi,

My timezone is GMT+8, and this caused logs captured in Splunk to always be 8 hours ago.

For instance:
Time log is captured: 2018-10-31 16:17:30,241
Time shown on splunk: 2018-10-31 08:17:30,241

I have tried configuring TZ in props.conf but it does not seem to work. here is snippet of my props.conf

[source]
TIME_FORMAT = %Y-%m-%d %H:%M:%S,%3N
TZ = Asia/Singapore

Thanks for your help!

0 Karma
Reply

VatsalJagani
SplunkTrust
SplunkTrust
‎11-02-2018 02:27 AM

Hi @zongwei,
Please try below configuration.

props.conf

[source::source-name]
TIME_FORMAT = %Y-%m-%d %H:%M:%S,%3N
TZ = Timezone of event source system where the event is generated (If time in log event is in UTC/GMT then do not specify this option)

Set your timezone into Splunk by going User Setting (above Logout option) -> Timezone

0 Karma
Reply

burwell
SplunkTrust
SplunkTrust
‎10-31-2018 09:46 PM

Hello @zongwei. It appears that the props you have for you time format

TIME_FORMAT = %Y-%m-%d %H:%M:%S,%3N

Doesn't match the time in the logs

2018-11-01T03:04:33.916+08:00
  1. The time would need to include the letter T after the day of the month
  2. You have %S,%3N for seconds which is seconds + a comma + 3 digits of subseconds. But your logs have a seconds then a period then 3 subseconds
  3. You would need to have a timezone that include the +08:00 (use %:z I believe)
0 Karma
Reply

zongwei
New Member
‎10-31-2018 10:12 PM

Hi @burwell,

I am using TIME_FORMAT = %Y-%m-%d %H:%M:%S,%3N because the date of the log that I want the event to be split is 2018-11-01 04:59:40,965

Example of an event

0 Karma
Reply

burwell
SplunkTrust
SplunkTrust
‎11-01-2018 10:12 PM

Oh I misunderstood the issue. Also I can't see the example (I see a broken image)

So it sounds to me like perhaps your user profile has a time setting so you are showing the events in a different timezone:

http://docs.splunk.com/Documentation/Splunk/7.2.0/Security/ConfigureuserswithSplunkWeb

When I look at this:
http://docs.splunk.com/Documentation/Splunk/7.2.0/Data/Applytimezoneoffsetstotimestamps

You are providing the time info and the timezone data.

0 Karma
Reply

zongwei
New Member
‎10-31-2018 08:15 PM

Additonal info:

For every event log, there is the _time field. Example of a _time field:

2018-11-01T03:04:33.916+08:00

It seems that Splunk does know that the time is short by 8 hours, but the logs display ignored the +08:00 behind the _time field.

Is there anyway to workaround with this to display the correct time? Thank you!

0 Karma
Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...