https://community.splunk.com/t5/Getting-Data-In/How-to-extract-timestamp-for-JSON-events-with-no-date-time/m-p/618136#M106670 <P>Verified with Splunk support that setting the time zone in props in combination with setting time zone preference in GUI is correct</P> Mon, 24 Oct 2022 13:32:20 GMT jwalzerpitt 2022-10-24T13:32:20Z https://community.splunk.com/t5/Getting-Data-In/How-to-extract-timestamp-for-JSON-events-with-no-date-time/m-p/617522#M106616 <P>I have a flat file that is in JSON format where events have no date/time as follows:</P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">{"device": "info.gw.xyz.com", "ip": "x.x.x.x", "age": "0", "mac": "Incomplete", "interface": " "}, {"device": "info.gw.xyz.com", "ip": "x.x.x.x", "age": "-", "mac": "0000.0000.0000", "interface": "Vlan673"}</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>My props.conf file is as follows:</P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">[my_arp] INDEXED_EXTRACTIONS = JSON TZ=UTC</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>Problem is when I search events, they are four hours in the future.</P><P>The files are on a sever that has the UF and that has the correct time set so looking through the Splunk docs&nbsp; (<A href="https://docs.splunk.com/Documentation/Splunk/9.0.1/Data/HowSplunkextractstimestamps" target="_blank" rel="noopener">https://docs.splunk.com/Documentation/Splunk/9.0.1/Data/HowSplunkextractstimestamps</A>) I see this:</P><UL><LI><DIV class="">If no events in the source have a date, Splunk software tries to find a date in the source name or file name. The events must have a time, even if they don't have a date.</DIV></LI></UL><P>The files do have a date and time</P><P>How do I fix this?</P><P>Thx</P> Tue, 18 Oct 2022 13:09:03 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-extract-timestamp-for-JSON-events-with-no-date-time/m-p/617522#M106616 jwalzerpitt 2022-10-18T13:09:03Z https://community.splunk.com/t5/Getting-Data-In/How-to-extract-timestamp-for-JSON-events-with-no-date-time/m-p/617527#M106617 <P>So just checked preferences for my account in Splunk Cloud and no default was set so I changed that to GMT/Eastern Time and now when I search the events they have the correct time.</P><P>Just making sure this is the fix</P> Tue, 18 Oct 2022 13:13:00 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-extract-timestamp-for-JSON-events-with-no-date-time/m-p/617527#M106617 jwalzerpitt 2022-10-18T13:13:00Z https://community.splunk.com/t5/Getting-Data-In/How-to-extract-timestamp-for-JSON-events-with-no-date-time/m-p/618136#M106670 <P>Verified with Splunk support that setting the time zone in props in combination with setting time zone preference in GUI is correct</P> Mon, 24 Oct 2022 13:32:20 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-extract-timestamp-for-JSON-events-with-no-date-time/m-p/618136#M106670 jwalzerpitt 2022-10-24T13:32:20Z https://community.splunk.com/t5/Getting-Data-In/How-to-extract-timestamp-for-JSON-events-with-no-date-time/m-p/618137#M106671 <P>Yes. The data is being logged in GMT/UTC as you specified in props.conf. The _time (or Time column) in search result is translated event time based on current user's timezone (so if you're TZ before UTC, events will show in future). If you want to see the time in the same timezone where they occurred, then what you did is correct (changing your timezone to match data timezone).</P> Mon, 24 Oct 2022 13:36:33 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-extract-timestamp-for-JSON-events-with-no-date-time/m-p/618137#M106671 somesoni2 2022-10-24T13:36:33Z