Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

_time is 6hrs behind but the event time is real time.

sathiyasun
Explorer
‎11-14-2023 09:35 AM

I have this props.conf TIME is almost 6hrs off from the event time. Below is my props.

[app_log]
CHARSET=UTF-8
LINE_BREAKER=([\r\n]+)\d+\-\d+\-\d+\s\d+\:\d+\:\d+\w
NO_BINARY_CHECK=true
SHOULD_LINEMERGE=false
disabled=false
TIME_FORMAT=%Y-%m-%d %H:%M:%S
TIME_PREFIX=^
TZ=US/Central

 

Sample log:-

 

This is event time which is ingesting fine "2023-11-14 10:59:58Z"

2023-11-14 10:59:58Z stevelog Closed Successfully
2023-11-14 10:59:58Z stevelog_close
2023-11-14 10:59:58Z Resetting CWD back from C:\WINDOWS\SysWOW64\inetsrv
2023-11-14 10:59:58Z Resetting CWD complete, back too C:\WINDOWS\SysWOW64\inetsrv
2023-11-14 10:59:58Z steveEngineMain Thread ====================> END

 

The actual TIME is 6hrs how than event time. Please find the attached screen and request you to let me know what the time difference.

sathiyasun_0-1699983123773.jpeg

 




 

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎11-14-2023 09:49 AM

It looks correct.  The events are timestamped in UTC, but the props.conf says to convert times to Americas/Chicago, which is 6 hours behind UTC.

I recommend changing the props to extract the time zone from the timestamp.

[app_log]
CHARSET=UTF-8
LINE_BREAKER=([\r\n]+)\d+\-\d+\-\d+\s\d+\:\d+\:\d+\w
NO_BINARY_CHECK=true
SHOULD_LINEMERGE=false
disabled=false
TIME_FORMAT=%Y-%m-%d %H:%M:%S%Z
TIME_PREFIX=^
---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎11-14-2023 09:49 AM

It looks correct.  The events are timestamped in UTC, but the props.conf says to convert times to Americas/Chicago, which is 6 hours behind UTC.

I recommend changing the props to extract the time zone from the timestamp.

[app_log]
CHARSET=UTF-8
LINE_BREAKER=([\r\n]+)\d+\-\d+\-\d+\s\d+\:\d+\:\d+\w
NO_BINARY_CHECK=true
SHOULD_LINEMERGE=false
disabled=false
TIME_FORMAT=%Y-%m-%d %H:%M:%S%Z
TIME_PREFIX=^
---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...