topic Re: How to change the time format before or while logs are being parsed? in Getting Data In

How to change the time format before or while logs are being parsed?

Makinde — Tue, 07 Jun 2016 18:01:04 GMT

I have a database log that comes in with a time stamp which is used by Splunk as the time stamp. However, I noticed the time is in UTC which is neither my time zone nor the time zone the server is in, but somehow the Database admin can't change the time reported in the raw log.

Is there a way to have Splunk convert the time to MST or its own time zone that matches that of my other logs? Can I put this in the props.conf file so it's done on the indexers before the logs are searched?

What command/string can I put in the props.conf file to make this change?

Thanks,

Re: How to change the time format before or while logs are being parsed?

woodcock — Tue, 07 Jun 2016 18:37:18 GMT

There is no reason to do this. Splunk internally normalizes all times to UTC anyway. Furthermore, it re-normalizes them to your configured user Time zone setting whenever you interact with Splunk. Therefore, as long as you have configured TZ correctly in props.conf and also your Edit Account -> Time zone setting, everything should be handled seamlessly as you would like it to.

Re: How to change the time format before or while logs are being parsed?

Makinde — Tue, 07 Jun 2016 20:42:29 GMT

How do you configure TZ in Props, is it;

TZ = US/Mountain

Can I also get Splunk to ignore the time stamp in the log and use the time it received the log as the time stamp?

Re: How to change the time format before or while logs are being parsed?

woodcock — Wed, 08 Jun 2016 05:14:59 GMT

That setting is correctly formatted but keep in mind that it does not CHANGE anything, it informs the indexer what TZ to apply to the time found inside those events (if there is no TZ attached to the timestamp inside the event). You can get Splunk to use _indextime as the timestamp with this:

DATETIME_CONFIG = CURRENT

Re: How to change the time format before or while logs are being parsed?

Makinde — Wed, 08 Jun 2016 20:42:17 GMT

Thanks Woodcock.

After looking at the logs, it appears there is no TZ attached to the timestamp. Here is what the timestamp in the log look like;

2016-06-08T18:01:36.293126Z

Looking at this setting, do you think I need to add "TZ = UTC" to the props.conf file?

Re: How to change the time format before or while logs are being parsed?

woodcock — Thu, 09 Jun 2016 05:33:42 GMT

I think that Z is probably Zulu which means GMT (UTC). You should use this (with no TZ config):

TIME_FORMAT = %Y-%m-%dT%H:%M:%S%6N%z
TZ_ALIAS = Z=UTC