topic Re: What is the best method of configuring timestamp recognition to support all ISO 8601 formats with Splunk 6.4.1? in Getting Data In

What is the best method of configuring timestamp recognition to support all ISO 8601 formats with Splunk 6.4.1?

crisjnelson — Fri, 02 Mar 2018 17:23:34 GMT

One of our teams wishes to use ISO 8601 for their log event timestamps. They have the desire to use any of the formats provided in that standard. Does Splunk 6.4.1 support timestamp recognition configuration for this?

The logs currently use this variation: 2018-03-02T17:02:09.335Z

What is the recommended way to configure timestamp recognition for the above sample?

Re: What is the best method of configuring timestamp recognition to support all ISO 8601 formats with Splunk 6.4.1?

richgalloway — Fri, 02 Mar 2018 18:38:47 GMT

I believe that time format is supported by default. However, it's a best practice to always put TIME_FORMAT in your props.conf files to tell Splunk what time format is used by each sourcetype. This keeps Splunk from guessing wrong and actually improves indexing performance.
In your case, use TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%3N%Z.

Re: What is the best method of configuring timestamp recognition to support all ISO 8601 formats with Splunk 6.4.1?

crisjnelson — Fri, 02 Mar 2018 18:50:06 GMT

Much appreciated! I am doing this, and assume Splunk is using UTC as the time zone. Now, search results appear in the future. I have to select all time to get the latest events. My Indexers are running in CST and my Search Heads are running in PST. _time shows as something else. What do I need to configure in order for my searches to be relative to the current time?

Re: What is the best method of configuring timestamp recognition to support all ISO 8601 formats with Splunk 6.4.1?

richgalloway — Sat, 03 Mar 2018 21:40:10 GMT

If you set the time zone in your profile to CST do events still appear in the future?

Many admins prefer to run all of their Splunk servers in UTC (or some other common time zone) to avoid problems and confusion.

Re: What is the best method of configuring timestamp recognition to support all ISO 8601 formats with Splunk 6.4.1?

ddrillic — Sun, 04 Mar 2018 00:37:53 GMT

Interesting - according to Date and time format variables

we can replace %Y-%m-%d with %F.

Re: What is the best method of configuring timestamp recognition to support all ISO 8601 formats with Splunk 6.4.1?

esix_splunk — Sun, 04 Mar 2018 06:42:45 GMT

What time zone are you in, and what time zone is set in your GUI for Splunk. Additionally you can set the timezone in the props on your host and help alleviate this kind of issue.