https://community.splunk.com/t5/Getting-Data-In/How-to-extract-timezone-in-json/m-p/474600#M81518 <P>The timestamp is of GMT format(Z at the end indicates time is GMT). Assuming that the source has actually put in the timestamp in GMT and not just stamped the local time with the GMT format, you could just ingest it as GMT. Based on the timezone set in your profile, Splunk would convert the timestamp to your local timestamp.</P> <P>EDIT: I just converted the startTime field in <A href="https://www.epochconverter.com/">https://www.epochconverter.com/</A> and it looks like the timestamp is actual GMT and not just local time stamped in GMT format.</P> Sat, 02 Nov 2019 12:52:44 GMT arjunpkishore5 2019-11-02T12:52:44Z https://community.splunk.com/t5/Getting-Data-In/How-to-extract-timezone-in-json/m-p/474599#M81517 <P>We have a log that we've been asked to ingest which is a json format file that's similar to this:</P> <PRE><CODE> {"type":"appRequest", "severity":"INFO", "eventid":"abcdefg1234567", "userid":76965813945444, "timezone":7, "timestamp":"2019-10-30T23:57:59.958Z", "logLevel":"INFO", "url":"/some/url", "diagnosticsEventId":"someEventId", "startTime":1572479879958, "logDetails":"200,OK"} </CODE></PRE> <P>As you can see, the timezone is specified in a field instead of built into the timestamp string. I've look around to no avail, is there a way to specify the event timezone based on the timezone (this is offset to GMT in hours)?</P> Sat, 02 Nov 2019 00:31:33 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-extract-timezone-in-json/m-p/474599#M81517 paxtaru 2019-11-02T00:31:33Z https://community.splunk.com/t5/Getting-Data-In/How-to-extract-timezone-in-json/m-p/474600#M81518 <P>The timestamp is of GMT format(Z at the end indicates time is GMT). Assuming that the source has actually put in the timestamp in GMT and not just stamped the local time with the GMT format, you could just ingest it as GMT. Based on the timezone set in your profile, Splunk would convert the timestamp to your local timestamp.</P> <P>EDIT: I just converted the startTime field in <A href="https://www.epochconverter.com/">https://www.epochconverter.com/</A> and it looks like the timestamp is actual GMT and not just local time stamped in GMT format.</P> Sat, 02 Nov 2019 12:52:44 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-extract-timezone-in-json/m-p/474600#M81518 arjunpkishore5 2019-11-02T12:52:44Z https://community.splunk.com/t5/Getting-Data-In/How-to-extract-timezone-in-json/m-p/474601#M81519 <P>Thank you. It's a misunderstanding on my part. I will confirm with our developer as well just to make sure.</P> Sat, 02 Nov 2019 15:24:17 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-extract-timezone-in-json/m-p/474601#M81519 paxtaru 2019-11-02T15:24:17Z https://community.splunk.com/t5/Getting-Data-In/How-to-extract-timezone-in-json/m-p/621122#M106995 <P>I have this issue as well but without the benefit of logs in GMT. My logs are multiple time zones in a single host, index, source, sourcetype combo. Here's an example:</P><LI-CODE lang="markup">{ [-] AppID: ElapsedSeconds: 0.694 seconds Event: RestCall Method: POST Request: { [+] } RequestLength: 371 RequestTimestamp: 16-Nov-2022 12:59:54 Response: { [+] } ResponseLength: 286 ResponseTimestamp: 16-Nov-2022 12:59:55 SequenceNumber: null ServiceName: ServiceURL: StatusCode: 200 StatusText: OK TimeZone: Asia/Shanghai UserID: UserIP: 127.0.0.1 UserName: }</LI-CODE><P>&nbsp;</P><P>In total there are about 85 different timezones logging here. Any idea how to get Splunk to recognize the timezone when not with the time stamp?&nbsp;</P> Wed, 16 Nov 2022 19:08:23 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-extract-timezone-in-json/m-p/621122#M106995 Labbemiche 2022-11-16T19:08:23Z