https://community.splunk.com/t5/Getting-Data-In/Using-props-conf-to-change-timestamp/m-p/114998#M24068 <P>This is a single server splunk deployment. The events come directly into the splunk server via webservice.</P> Tue, 01 Apr 2014 15:19:17 GMT jedatt01 2014-04-01T15:19:17Z https://community.splunk.com/t5/Getting-Data-In/Using-props-conf-to-change-timestamp/m-p/114994#M24064 <P>I have a modular input that collects data from a webservice. The events are not collected in realtime so to get the true timestamp I have to extract that from the time field on each event instead of using when splunk consumes it as the time stamp. </P> <P>The problem with this is the event time is in UTC and my server is in US/Eastern time (UTC-5). When I search for the events they show 5 hours ahead. This causes problems when using relative search times because no data shows up.</P> <P>How can I use props.conf or other method to make the events show up in Splunk as US/Eastern time so my searches work correctly? My current props.conf is below. I've tried to change the TZ= setting but it makes no difference. Please help!</P> <P>[test]<BR /> NO_BINARY_CHECK=1<BR /> SHOULD_LINEMERGE=true<BR /> BREAK_ONLY_BEFORE=^{<BR /> TIME_FORMAT=%Y-%m-%d %H:%M:%S.%3Q<BR /> TZ=UTC<BR /> KV_MODE=json<BR /> TRUNCATE=15000</P> <P>Here's what the raw event logs like from splunkd.log<BR /> {<BR /> 'tot': 86, <BR /> 'epoch': 1396352800, <BR /> 'tos': 85, <BR /> 'sid': 318, <BR /> 'browsertype': IE7, <BR /> 'type': 'txtest', <BR /> 'sname': New York, NY - Verizon, <BR /> 'ttime': 2014-04-01 07:46:40.433, <BR /> 'tpf': 0, <BR /> 'rtime': 5954, <BR /> 'nbyte': 729580, <BR /> 'tof': 0, <BR /> 'mid': 14247945, <BR /> 'tps': 3, 'tpt': 3<BR /> }</P> Mon, 28 Sep 2020 16:17:21 GMT https://community.splunk.com/t5/Getting-Data-In/Using-props-conf-to-change-timestamp/m-p/114994#M24064 jedatt01 2020-09-28T16:17:21Z https://community.splunk.com/t5/Getting-Data-In/Using-props-conf-to-change-timestamp/m-p/114995#M24065 <P>The timezone will be applied on index time. Therefore you cannot modify existing data to show correctly. You may want to export the data and re-import it.</P> Tue, 01 Apr 2014 14:36:00 GMT https://community.splunk.com/t5/Getting-Data-In/Using-props-conf-to-change-timestamp/m-p/114995#M24065 aelliott 2014-04-01T14:36:00Z https://community.splunk.com/t5/Getting-Data-In/Using-props-conf-to-change-timestamp/m-p/114996#M24066 <P>What about data that has not already been indexed? I'm not concerned about the data that is already there.</P> Tue, 01 Apr 2014 15:07:23 GMT https://community.splunk.com/t5/Getting-Data-In/Using-props-conf-to-change-timestamp/m-p/114996#M24066 jedatt01 2014-04-01T15:07:23Z https://community.splunk.com/t5/Getting-Data-In/Using-props-conf-to-change-timestamp/m-p/114997#M24067 <P>Where did you configure this, on the indexer?</P> Tue, 01 Apr 2014 15:09:55 GMT https://community.splunk.com/t5/Getting-Data-In/Using-props-conf-to-change-timestamp/m-p/114997#M24067 Ayn 2014-04-01T15:09:55Z https://community.splunk.com/t5/Getting-Data-In/Using-props-conf-to-change-timestamp/m-p/114998#M24068 <P>This is a single server splunk deployment. The events come directly into the splunk server via webservice.</P> Tue, 01 Apr 2014 15:19:17 GMT https://community.splunk.com/t5/Getting-Data-In/Using-props-conf-to-change-timestamp/m-p/114998#M24068 jedatt01 2014-04-01T15:19:17Z https://community.splunk.com/t5/Getting-Data-In/Using-props-conf-to-change-timestamp/m-p/114999#M24069 <P>Hello,<BR /> I checked the data. Your intended timestamp was not recognized. Try the below configuration.</P> <PRE><CODE>[test] NO_BINARY_CHECK=1 SHOULD_LINEMERGE=true BREAK_ONLY_BEFORE=^{ TIME_PREFIX='ttime': TIME_FORMAT=%Y-%m-%d %H:%M:%S.%3Q TZ=UTC KV_MODE=json TRUNCATE=15000 </CODE></PRE> <P>Thanks</P> Tue, 01 Apr 2014 18:49:29 GMT https://community.splunk.com/t5/Getting-Data-In/Using-props-conf-to-change-timestamp/m-p/114999#M24069 linu1988 2014-04-01T18:49:29Z https://community.splunk.com/t5/Getting-Data-In/Using-props-conf-to-change-timestamp/m-p/115000#M24070 <P>That did the trick! thanks</P> Tue, 01 Apr 2014 19:10:22 GMT https://community.splunk.com/t5/Getting-Data-In/Using-props-conf-to-change-timestamp/m-p/115000#M24070 jedatt01 2014-04-01T19:10:22Z