topic Re: Is it possible to log the local time on the incoming logs ? in Getting Data In

Is it possible to log the local time on the incoming logs ?

ranjyotiprakash — Tue, 26 Jun 2012 05:45:38 GMT

Is it possible to log the local time on the incoming logs ?

If the log's time is different those logs are missed out in the charts and I want to log the local time on to the logs. So, that whatever be the timezone or time on the logs it should show with the local time.

Thanks !!

Re: Is it possible to log the local time on the incoming logs ?

Ayn — Tue, 26 Jun 2012 05:54:04 GMT

You can define what timezone logs are in, using the TZ directive in props.conf. More information here: http://docs.splunk.com/Documentation/Splunk/5.0/data/Applytimezoneoffsetstotimestamps

If you don't want to set that up but just want to be able to search on when the logs were actually indexed, you can use the _indextime field that has this information. You could assign _time to _indextime to temporarily 'pretend' that it's the index time that constitutes the timestamp:

... | eval _time=_indextime | ...

Or you could do other stuff with the _indextime field as you see fit. Note that this field is normally hidden due to its internal nature, so for instance doing | table _indextime will not show anything. Using eval you can make it visible.

... | eval indextime=_indextime | table indextime

Re: Is it possible to log the local time on the incoming logs ?

ranjyotiprakash — Mon, 28 Sep 2020 11:59:43 GMT

Thanks for the answer Ayn !!
I have used "eval_time=_indextime" in savedsearches.conf of my app.

search = sourcetype="access" | eval bandwidth=round(bytes_sent/1024,2)| eval _time=_indextime| timechart sum(bandwidth)

It is working in case real time searches on my dashboard. But, when I am selecting last 15 minutes, or last 60 minutes etc. the chart is not showing any data.
Thanks..

Re: Is it possible to log the local time on the incoming logs ?

Ayn — Wed, 27 Jun 2012 07:30:33 GMT

You're welcome.

Re: Is it possible to log the local time on the incoming logs ?

Ayn — Wed, 27 Jun 2012 07:33:03 GMT

...but I suspect you meant that last part as a question?

The thing with setting _time to _indextime in your search is it happens AFTER the events have been extracted from the index. So if you search for events from the last 15 minutes, Splunk will first grab the events that have the ORIGINAL timestamp, before handing it over to the rest of the search pipeline. So even if you set _time to something else after that, the events you will get first of all are the ones that match on the initial timestamp.

Re: Is it possible to log the local time on the incoming logs ?

ranjyotiprakash — Wed, 27 Jun 2012 08:26:39 GMT

In that case,I need to define the TZ directive in props.conf ??

Re: Is it possible to log the local time on the incoming logs ?

Ayn — Wed, 27 Jun 2012 08:40:44 GMT

Yes, that's correct.

Re: Is it possible to log the local time on the incoming logs ?

ranjyotiprakash — Mon, 28 Sep 2020 11:59:46 GMT

one more question AYN..
when we get data over UDP, in that case "no_appending_timestamp = false" appends timestamp and host to the incoming logs.
Is there any attribute, which appends the timestamp & hosts to incoming logs, when we get data over TCP.

Re: Is it possible to log the local time on the incoming logs ?

Ayn — Wed, 27 Jun 2012 09:10:23 GMT

Possibly, I don't know right now. Either way that's not part of this question, so please open up a new question if you want help with that.

Re: Is it possible to log the local time on the incoming logs ?

ranjyotiprakash — Wed, 27 Jun 2012 09:13:01 GMT

Thanks Ayn.. I will open up a new question ..