https://community.splunk.com/t5/Getting-Data-In/Wrong-Timestamp/m-p/75567#M15402 <P>Hi all,</P> <P>Splunk adds one hour to timestamp, when indexing logs. </P> <P>Example of my logs: </P> <P>[ 21/Feb/2012 1:05:32.306 PM] I got ID_TRANS ... </P> <P>so when such log falls into splunk, it got a timestamp like <BR /> 2/21/12<BR /> 2:05:32.306 PM</P> <P>My props.conf for these logs is:</P> <P>[sourcetype::verytest]<BR /> MAX_TIMESTAMP_LOOKAHEAD=31<BR /> NO_BINARY_CHECK=1<BR /> TIME_FORMAT=%d/%b/%y %H:%M:%S.%3N %p</P> <P>My timezone is - <BR /> (GMT +03:00) Moscow, St. Petersburg, Volgograd</P> <P>What I`m doing wrong? </P> Mon, 28 Sep 2020 11:25:27 GMT astepanov 2020-09-28T11:25:27Z https://community.splunk.com/t5/Getting-Data-In/Wrong-Timestamp/m-p/75567#M15402 <P>Hi all,</P> <P>Splunk adds one hour to timestamp, when indexing logs. </P> <P>Example of my logs: </P> <P>[ 21/Feb/2012 1:05:32.306 PM] I got ID_TRANS ... </P> <P>so when such log falls into splunk, it got a timestamp like <BR /> 2/21/12<BR /> 2:05:32.306 PM</P> <P>My props.conf for these logs is:</P> <P>[sourcetype::verytest]<BR /> MAX_TIMESTAMP_LOOKAHEAD=31<BR /> NO_BINARY_CHECK=1<BR /> TIME_FORMAT=%d/%b/%y %H:%M:%S.%3N %p</P> <P>My timezone is - <BR /> (GMT +03:00) Moscow, St. Petersburg, Volgograd</P> <P>What I`m doing wrong? </P> Mon, 28 Sep 2020 11:25:27 GMT https://community.splunk.com/t5/Getting-Data-In/Wrong-Timestamp/m-p/75567#M15402 astepanov 2020-09-28T11:25:27Z https://community.splunk.com/t5/Getting-Data-In/Wrong-Timestamp/m-p/75568#M15403 <P>You could try to assign the timezone in your props.conf: <A href="http://docs.splunk.com/Documentation/Splunk/4.3/Data/Applytimezoneoffsetstotimestamps">Apply Timezone</A></P> Tue, 21 Feb 2012 09:54:59 GMT https://community.splunk.com/t5/Getting-Data-In/Wrong-Timestamp/m-p/75568#M15403 MarioM 2012-02-21T09:54:59Z https://community.splunk.com/t5/Getting-Data-In/Wrong-Timestamp/m-p/75569#M15404 <P>Thx, MarioM</P> <P>it Really Helps.</P> <P>For Russia Moscow props.conf for such logs should looks like this one:</P> <PRE><CODE>[sourcetype::your_sourcetype_name] MAX_TIMESTAMP_LOOKAHEAD = custom, for example 31 NO_BINARY_CHECK=1 (Do not check for binary, Speed up Perfomance) TIME_FORMAT=%d/%b/%y %H:%M:%S.%3N %p (Custom date timeformat, to help indexer understand timespamps, [more info][1]) TZ=Europe/Moscow </CODE></PRE> <P>TZ should be equals to TZ=Europe/Moscow (Only for logs in Mosow TimeZone (+03.00)).</P> Tue, 21 Feb 2012 10:20:01 GMT https://community.splunk.com/t5/Getting-Data-In/Wrong-Timestamp/m-p/75569#M15404 astepanov 2012-02-21T10:20:01Z https://community.splunk.com/t5/Getting-Data-In/Wrong-Timestamp/m-p/75570#M15405 <P>Hi!<BR /> Do you have UTC+03:00 after assigning TZ=Europe/Moscow?</P> <P>I'm struggling with the same issue at the moment, i.e. Europe/Moscow gives me UTC+03:00, but we are actually in UTC+04:00.</P> Tue, 21 Feb 2012 10:53:19 GMT https://community.splunk.com/t5/Getting-Data-In/Wrong-Timestamp/m-p/75570#M15405 greg 2012-02-21T10:53:19Z https://community.splunk.com/t5/Getting-Data-In/Wrong-Timestamp/m-p/75571#M15406 <P>Hi, greg!</P> <P>For UTC +04.00 you should use Asia/Krasnoyarsk it will gives you UTC +04.00 for more information about timezone, you could study MarioM link (<A href="http://en.wikipedia.org/wiki/List_of_zoneinfo_timezones">http://en.wikipedia.org/wiki/List_of_zoneinfo_timezones</A>)</P> Tue, 21 Feb 2012 10:59:40 GMT https://community.splunk.com/t5/Getting-Data-In/Wrong-Timestamp/m-p/75571#M15406 astepanov 2012-02-21T10:59:40Z https://community.splunk.com/t5/Getting-Data-In/Wrong-Timestamp/m-p/75572#M15407 <P>Well, according to this wikipedia table, column "Standard Time", Asia/Krasnoyarsk is UTC+08:00, which is too much for me <span class="lia-unicode-emoji" title=":winking_face:">😉</span> I'm still in Europe/Moscow (not Moscow +0400).</P> Tue, 21 Feb 2012 11:09:29 GMT https://community.splunk.com/t5/Getting-Data-In/Wrong-Timestamp/m-p/75572#M15407 greg 2012-02-21T11:09:29Z https://community.splunk.com/t5/Getting-Data-In/Wrong-Timestamp/m-p/75573#M15408 <P>Ohg, It`s my fault, sorry. </P> <P>Did you check time on your server with Splunk installation, is it correct?</P> Tue, 21 Feb 2012 11:13:51 GMT https://community.splunk.com/t5/Getting-Data-In/Wrong-Timestamp/m-p/75573#M15408 astepanov 2012-02-21T11:13:51Z https://community.splunk.com/t5/Getting-Data-In/Wrong-Timestamp/m-p/75574#M15409 <P>Yes, I have checked everything twice.<BR /> My situation is stated in this question:<BR /> <A href="http://splunk-base.splunk.com/answers/40985/time-zone-recognition-still-doesnt-work-after-editing-propsconf">http://splunk-base.splunk.com/answers/40985/time-zone-recognition-still-doesnt-work-after-editing-propsconf</A></P> <P>Could you please check on your system, do you really have UTC+0300 for Europe/Moscow?</P> Tue, 21 Feb 2012 11:23:42 GMT https://community.splunk.com/t5/Getting-Data-In/Wrong-Timestamp/m-p/75574#M15409 greg 2012-02-21T11:23:42Z