topic Can you help me do a timezone conversion for the following events? in Getting Data In

Can you help me do a timezone conversion for the following events?

krusovice — Fri, 14 Dec 2018 03:33:50 GMT

Dear all,

I am kind of confused by the timezone offset setting in props.conf.

My scenario is like this:
Log file is with GMT +8 timestamp, let say now is 10:00 AM.
TZ setting in props.conf is TZ=UTC (GMT+0), let say the now is 02:00 AM
User setting for timezone is GMT

When I've tested to ingest the data, and perform a search for 15min data at 10.00AM, I can only found data at 2:00AM.

When I search data for all time, I can get the data at 10:00AM.

Anyone can help to clear my confusion?

Re: Can you help me do a timezone conversion for the following events?

inventsekar — Fri, 14 Dec 2018 05:33:43 GMT

Log file is with GMT +8 timestamp, let say now is 10:00 AM.
TZ setting in props.conf is TZ=UTC (GMT+0), let say the now is 02:00 AM

Hi.. Any reasons why props is having GMT+0.. why not use GMT+8 itself ?!?!

When I've tested to ingest the data, and perform a search for 15min data at 10.00AM, I can only found data at 2:00AM. When I search data for all time, I can get the data at 10:00AM.

on your search query, try to get _indextime and try to print both _time and _indextime.. that may clear your confusion, i think.

Re: Can you help me do a timezone conversion for the following events?

sdchakraborty — Fri, 14 Dec 2018 05:40:03 GMT

Hi,

This is what is found in props.conf documentation,

TZ =
* The algorithm for determining the time zone for a particular event is as
follows:

If the event has a timezone in its raw text (for example, UTC, -08:00), use that.
If TZ is set to a valid timezone string, use that.
If the event was forwarded, and the forwarder-indexer connection is using the 6.0+ forwarding protocol, use the timezone provided by the forwarder.
Otherwise, use the timezone of the system that is running splunkd.
Defaults to empty.

as you have TZ configuration set to GMT thats why you are getting 2 AM data.

Re: Can you help me do a timezone conversion for the following events?

krusovice — Tue, 29 Sep 2020 22:24:17 GMT

The reason of setting TZ=UTC is because this is global application, there is another same instance based in Europe. I've tried to print both _time and _indextime using this query, found more horrible result. The indextime is 8 hour earlier than _time (_time is 2am, indextime is 6pm a day earlier)

index=* source=*
| eval indextime=_indextime
| stats values(source) by indextime _time
| eval time_gap=indextime - _time, indextime=strftime(indextime, "%y/%m/%d %H:%M:%S")

Re: Can you help me do a timezone conversion for the following events?

krusovice — Fri, 14 Dec 2018 06:16:15 GMT

Thanks for the reply. I'm confused in how Splunk reading the time when the TZ setting is earlier than actual log timestamp (in this case, log is 10AM, but I want Splunk to index the time as 2AM as UTC time).