https://community.splunk.com/t5/Getting-Data-In/How-to-fix-an-incorrectly-indexed-timestamp/m-p/322777#M60107 <P>@mholden37 - Did one of the answers below help provide a solution your question? If yes, please click “Accept” below the best answer to resolve this post and upvote anything that was helpful. If no, please leave a comment with more feedback. Thanks.</P> Thu, 20 Apr 2017 00:56:00 GMT aaraneta_splunk 2017-04-20T00:56:00Z https://community.splunk.com/t5/Getting-Data-In/How-to-fix-an-incorrectly-indexed-timestamp/m-p/322774#M60104 <P>Splunk is not showing the correct time on the events. The time that Splunk gives the log is 5 hours behind the time that it is supposed to be. The time is correct on the server and the logs but Splunk is saying it is 5 hours behind. For the below timestamp it is giving it a time of 8:48:06.000 AM when it should be 1:48:06.000PM.</P> <P>2017-02-22T13:48:06Z </P> <P>In props.conf I have TIME_FORMAT=%Y-%m-%dT%H:%M:%SZ</P> <P>I have also tried changing the timezone to TZ = UTC and that did not fix it.</P> Wed, 22 Feb 2017 18:59:45 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-fix-an-incorrectly-indexed-timestamp/m-p/322774#M60104 mholden37 2017-02-22T18:59:45Z https://community.splunk.com/t5/Getting-Data-In/How-to-fix-an-incorrectly-indexed-timestamp/m-p/322775#M60105 <P>If your Splunk is in the US eastern time zone then 13:48:06Z correctly converts to 08:48:06 EST. The "Z" says the timestamp is in UTC so Splunk converts it to the local time zone. If that is not the expected behavior then change the server to specify the correct time zone in its events.</P> Wed, 22 Feb 2017 19:20:04 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-fix-an-incorrectly-indexed-timestamp/m-p/322775#M60105 richgalloway 2017-02-22T19:20:04Z https://community.splunk.com/t5/Getting-Data-In/How-to-fix-an-incorrectly-indexed-timestamp/m-p/322776#M60106 <P>What happens when you set the time to be parsed automatically?<BR /> Alternatively, try using the <A href="https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/CommonEvalFunctions#Date_and_Time_functions">strptime</A> to validate the string parsing.<BR /> For example, you could also try <CODE>%FT%TZ</CODE> as per <A href="https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Commontimeformatvariables">https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Commontimeformatvariables</A></P> Mon, 27 Feb 2017 22:12:29 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-fix-an-incorrectly-indexed-timestamp/m-p/322776#M60106 sloshburch 2017-02-27T22:12:29Z https://community.splunk.com/t5/Getting-Data-In/How-to-fix-an-incorrectly-indexed-timestamp/m-p/322777#M60107 <P>@mholden37 - Did one of the answers below help provide a solution your question? If yes, please click “Accept” below the best answer to resolve this post and upvote anything that was helpful. If no, please leave a comment with more feedback. Thanks.</P> Thu, 20 Apr 2017 00:56:00 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-fix-an-incorrectly-indexed-timestamp/m-p/322777#M60107 aaraneta_splunk 2017-04-20T00:56:00Z