topic Re: Timestap issue in Getting Data In

Timestap issue

edwardrose — Tue, 29 Sep 2020 18:05:40 GMT

Hello All,

I am a little confused as to what the heck is going wrong with my time stamps. We have the following raw logs:

2018-02-19 11:13:00 - INFO  - ENTITLEMENT - UsersDaoImpl:124 - 036cc5fa-a0b3-4a54-978f-9f34747fd126 - Inside UsersDaoImpl- getUserByUserId method
2018-02-19 11:13:00 - INFO  - ENTITLEMENT - EMSJobOrderServiceImpl:38 - 036cc5fa-a0b3-4a54-978f-9f34747fd126 - SalesOrderDTO object type received.
2018-02-19 11:13:00 - WARN  - ENTITLEMENT - EMSJobOrderServiceImpl:54 - 036cc5fa-a0b3-4a54-978f-9f34747fd126 - Returning the Job Params...
2018-02-19 11:13:00 - INFO  - ENTITLEMENT - UsersDaoImpl:124 - 036cc5fa-a0b3-4a54-978f-9f34747fd126 - Inside UsersDaoImpl- getUserByUserId method
2018-02-19 11:13:00 - INFO  - ENTITLEMENT - UsersDaoImpl:124 - 036cc5fa-a0b3-4a54-978f-9f34747fd126 - Inside UsersDaoImpl- getUserByUserId method
2018-02-19 11:13:00 - INFO  - ENTITLEMENT - UsersDaoImpl:124 - 036cc5fa-a0b3-4a54-978f-9f34747fd126 - Inside UsersDaoImpl- getUserByUserId method

The timezone for the logs/server is PST, but when the logs get ingested they are coming in with a timestamp as follows:

The props.conf for said data is as follows:

[ems_catalina]
SHOULD_LINEMERGE = false
TIME_PREFIX = <6>
MAX_TIMESTAMP_LOOKAHEAD = 24
TIME_FORMAT = %Y-%m-%dT%H%M%SZ

[ems_applogs]
TIME_FORMAT = %Y-%m-%d %H:%M:%S
TZ = US/Pacific

#[source::/apps/tomcat/logs/ems_entitlement_services.log]
#TZ = America/Los_Angeles

The ems_applogs is the sourcetype which I am having issues with. Any ideas/help.

thanks
ed

Re: Timestap issue

skoelpin — Mon, 19 Feb 2018 21:15:07 GMT

I'm betting it has something to do with your TZ attribute. You should try removing it and seeing if that fixes your timestamp issue

Also, are you sure you restarted the splunkd service after making the above changes? It looks like its pulling from old configs and your new ones were not applied

Re: Timestap issue

somesoni2 — Mon, 19 Feb 2018 21:18:07 GMT

In the top right menu bar, go to left most dropdown (which has your user name)-> Edit Account. Check what's the default timezone selected for you. The timestamp you see on search page is adjusted per your default timezone.

Re: Timestap issue

edwardrose — Mon, 19 Feb 2018 21:33:34 GMT

My account specific TZ is set to PST.

Re: Timestap issue

edwardrose — Mon, 19 Feb 2018 21:34:51 GMT

It originally had nothing set for the TZ and the data was off. I added the TZ but did not restart the services as changes to the props.conf file do not always require a restart of the splunk services. But I will try it to test it out.

Re: Timestap issue

somesoni2 — Mon, 19 Feb 2018 21:41:10 GMT

It looks like Splunk is treating the log's timestamp to be in UTC, so it's showing -0800 when displayed in UI. Guessing you'll get your TZ corrected after restart. What version of UF you've where you're collecting your logs? If it's 6.x and above, you can set your TZ settings on UF itself.

Re: Timestap issue

skoelpin — Mon, 19 Feb 2018 21:46:10 GMT

Yes, you need a restart after making any index time setting changes...

http://docs.splunk.com/Documentation/Splunk/latest/admin/Propsconf