<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: Time Stamp - Log Delay in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/Time-Stamp-Log-Delay/m-p/258238#M49607</link>
    <description>&lt;P&gt;I reckon the TIME_FORMAT string is wrong here ...&lt;/P&gt;

&lt;P&gt;It should read &lt;CODE&gt;TIME_FORMAT = %Y %b %d %H:%M:%S:%3N %Z&lt;/CODE&gt;&lt;/P&gt;</description>
    <pubDate>Mon, 30 Nov 2015 14:33:18 GMT</pubDate>
    <dc:creator>DMohn</dc:creator>
    <dc:date>2015-11-30T14:33:18Z</dc:date>
    <item>
      <title>Time Stamp - Log Delay</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Time-Stamp-Log-Delay/m-p/258237#M49606</link>
      <description>&lt;P&gt;Hi Splunk users,&lt;/P&gt;

&lt;P&gt;I have a problem regarding Splunk showing incorrect timestamps:&lt;/P&gt;

&lt;P&gt;Splunk pretty much shows me timestamps with a 5 hour delay. If an something is logged in the logs I monitor, it is logged in EST (it says GMT -5:00 though and I think that is the problem). However the log looks like this:&lt;/P&gt;

&lt;P&gt;&lt;IMG src="https://community.splunk.com/storage/temp/73247-capture.jpg" alt="alt text" /&gt;&lt;/P&gt;

&lt;P&gt;It reads GMT -5:00 in the log file and Splunk goes ahead and reads that and shows me the logs only 5 hours after the event occurs. The log file however is written in EST and not GMT.&lt;/P&gt;

&lt;P&gt;I changed my props.conf to tell Splunk that we are in EST. What could I change in order for Splunk to just read the timestamp out of the log without GMT -5:00, because I think this where the problem comes from.&lt;/P&gt;

&lt;P&gt;Also see my props.conf:&lt;/P&gt;

&lt;P&gt;TRUNCATE = 10000&lt;BR /&gt;
TIME_PREFIX = ^&lt;BR /&gt;
TIME_FORMAT = %Y-%m-%d %H:%M:%S&lt;BR /&gt;
MAX_TIMESTAMP_LOOKAHEAD = 29&lt;BR /&gt;
TZ = America/New_York&lt;/P&gt;

&lt;P&gt;I did not set these settings myself, except the TZ setting. So I don't know where the MAX_TIMESTAMP_LOOKAHEAD = 10, is coming from or the TIME_FORMAT.&lt;/P&gt;

&lt;P&gt;Thank you very much for your help,&lt;/P&gt;

&lt;P&gt;Oliver&lt;/P&gt;</description>
      <pubDate>Tue, 29 Sep 2020 08:02:50 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Time-Stamp-Log-Delay/m-p/258237#M49606</guid>
      <dc:creator>omuelle1</dc:creator>
      <dc:date>2020-09-29T08:02:50Z</dc:date>
    </item>
    <item>
      <title>Re: Time Stamp - Log Delay</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Time-Stamp-Log-Delay/m-p/258238#M49607</link>
      <description>&lt;P&gt;I reckon the TIME_FORMAT string is wrong here ...&lt;/P&gt;

&lt;P&gt;It should read &lt;CODE&gt;TIME_FORMAT = %Y %b %d %H:%M:%S:%3N %Z&lt;/CODE&gt;&lt;/P&gt;</description>
      <pubDate>Mon, 30 Nov 2015 14:33:18 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Time-Stamp-Log-Delay/m-p/258238#M49607</guid>
      <dc:creator>DMohn</dc:creator>
      <dc:date>2015-11-30T14:33:18Z</dc:date>
    </item>
    <item>
      <title>Re: Time Stamp - Log Delay</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Time-Stamp-Log-Delay/m-p/258239#M49608</link>
      <description>&lt;P&gt;I actually was able to fix it.&lt;/P&gt;

&lt;P&gt;Once I put the props.conf settings also on the indexers, it started indexing correctly.&lt;/P&gt;

&lt;P&gt;I am not sure why, but I now have the correct time.&lt;/P&gt;</description>
      <pubDate>Mon, 30 Nov 2015 14:57:54 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Time-Stamp-Log-Delay/m-p/258239#M49608</guid>
      <dc:creator>omuelle1</dc:creator>
      <dc:date>2015-11-30T14:57:54Z</dc:date>
    </item>
  </channel>
</rss>

