topic Re: Timezone calculation error? in Getting Data In

Timezone calculation error?

jgauthier — Fri, 01 Apr 2011 08:30:29 GMT

I just finished loading a lot of data, and when reviewing it, I am seeing something odd.

First, my log file is in GMT, and I've set up my props.conf to look like so:

[Exchange2003]
TIME_FORMAT = %Y-%-m%-d\t%-H:%-M:%-S
TIME_PREFIX = ^
MAX_TIMESTAMP_LOOKAHEAD = 15
KV_MODE = none
SHOULD_LINEMERGE = false
TRANSFORM
REPORT-Exchange2003 = Exchange2003
TZ=GMT

I have three log file entries I've identified for comparison:

Log file:
2011-4-1    0:4:42 GMT
Splunk Time:
4/1/11 12:03:28.478 AM 

Log file:
2011-4-1    1:21:34 GMT
Splunk Time:
3/31/11 9:21:34.000 PM

Log file:
2011-4-1    1:20:26 GMT
Splunk Time:
4/1/11 9:20:12.081 PM

Notice the one in the middle is correct. I'm not sure what caused it, or how to fix it. Any suggestions?

Re: Timezone calculation error?

netwrkr — Fri, 01 Apr 2011 19:49:04 GMT

Anything different about the logs associated with the incorrect time? I assume Splunk is using 'index' time versus parsing the time from the logged event?

Re: Timezone calculation error?

jgauthier — Fri, 01 Apr 2011 20:13:26 GMT

The lines look the same. This is a tab delimeted file, and every entry is idenitical. New items coming in are wrong still, (just checked this morning). It's not using index time, as it's 9:07am (ET) now, and splunk is showing this:
4/1/11 11:23:10.034 PM
But the log is:
2011-4-1 3:23:18 GMT
So, it should be more like 03/31/11 00:23:18.
Not in the future! 😃
It looks like some are correct and others are not.
Another example:
Log File:
2011-4-1 13:9:58
Splunk:
4/1/119:09:58.000 AM

Re: Timezone calculation error?

jgauthier — Fri, 01 Apr 2011 20:15:12 GMT

I added that too soon 🙂
Log file:
2011-4-1 9:16:32 GMT
Splunk:
4/1/11 9:16:30.224 AM
Notice the time! It's not 9:16AM yet. It's almost like it has ignored the TZ setting, and perhaps only on single digit hours?
Looking for more details. Host, sourcetype, and source are identical.

Re: Timezone calculation error?

jgauthier — Tue, 05 Apr 2011 08:37:59 GMT

Just bumping this for more ideas. This is still happening with new events.
I have no idea where to go with this.

Re: Timezone calculation error?

gkanapathy — Tue, 05 Apr 2011 13:07:35 GMT

What's the name of the file? Also, it looks to me like your TIME_FORMAT above is just wrong, so can you confirm what is in your config file?

Update:

Seems to me your TIME_FORMAT is basically wrong and will never match your data, so Splunk is pretty much just guessing from where-ever it can, including the file name and/or file mod time, so it probably seems mysterious.

This is what you have:

%Y-%-m%-d\t%-H:%-M:%-S

You should have:

%Y-%m-%d%t%H:%M:%S %Z

Re: Timezone calculation error?

jgauthier — Tue, 05 Apr 2011 18:49:58 GMT

Sure! Log files are named like this: 40110504.log (today's)

TIME_FORMAT = %Y-%-m%-d\t%-H:%-M:%-S
I've compared it visually to the log file entry, and I don't see anything wrong 😞 I have also done only 3 custom log files, so I'm not a champion by any means 😉

Re: Timezone calculation error?

jgauthier — Wed, 06 Apr 2011 00:37:53 GMT

So, a tab is %t not \t?
(just to confirm)

Re: Timezone calculation error?

jgauthier — Wed, 06 Apr 2011 00:38:58 GMT

wait, more questions abound. I read that too quickly. The hours, minutes, and seconds are not zero padded. I don't understand why the "-" is omitted for those. I am going to put this in place and see what happens!

Re: Timezone calculation error?

jgauthier — Wed, 06 Apr 2011 00:48:16 GMT

I read up on the strptime() requirements. I see the %t now. Understood. for %Y,%m,%d,%H,%M, and %S it is indicated that "leading zeros are permitted but not required". so why include a dash on the date and not time? I would think both could possibly be removed. Thanks a bunch!

Re: Timezone calculation error?

gkanapathy — Wed, 06 Apr 2011 01:05:56 GMT

strptime() format has essentially nothing to do with printf() format.

Re: Timezone calculation error?

jgauthier — Wed, 06 Apr 2011 03:02:18 GMT

I understand that, but I don't understand what you're eluding to. when I read docs on TIME_FORMAT, they reference using strptime() formatting. So I did. I, obviously, made a mistake with the tab 🙂 The dashes are still confusing me.

Re: Timezone calculation error?

jgauthier — Wed, 06 Apr 2011 09:14:43 GMT

I have confirmed that the TIME_FORMAT listed above is working correctly. It was subtle, but I see the I had messed up the month detection at least. I was using the hyphens because I read the documentation incorrectly, thinking that I needed the hyphen to detect the lack of 0 padded integers. That wasn't the case at all. I see now that you probably just thought i had the hyphens in the wrong spot! Which, in the long run I did because of my misunderstanding. Thanks for the help!