topic Re: Splunk timestamp offset GMT in Getting Data In

Splunk timestamp offset GMT

SFOTC — Wed, 11 Nov 2020 21:15:00 GMT

Good evening.

I have a ASCII event message that looks like the following: The timestamp is in GMT time. When Splunk coverts the timestamp the result is off by 5 hours. For this event message, the resulting timestamp is "11/11/20
5:46:39.969 PM" but should really be "11/11/20 12:46:39.969 PM". I have the servers local time zone set to "UTC -5 Eastern Time". I already created a "props.conf" file and placed the following "TZ=Etc/GMT0", but it did not change the Splunk time stamp.

INFO Stol 20-314-17:46:39.969: !!!!!!!!!INST Telemetry Started !!!!!!

Thank for your assistance.

Re: Splunk timestamp offset GMT

richgalloway — Wed, 11 Nov 2020 21:38:45 GMT

Timestamps as assumed to be in the same time zone as the Splunk server unless otherwise specified. You have a TZ specified, but it's not working so we'll presume the setting is incorrect. Begin by changing the TZ setting to "UTC" or "GMT". Also, the props.conf file must be on the forwarder or indexer that first touches the event.

If that doesn't fix the problem then please share the complete props.conf stanza for event's souretype.

Re: Splunk timestamp offset GMT

SFOTC — Thu, 12 Nov 2020 02:33:30 GMT

Ok, thank I will give that a try. What directory are the "indexers" placed?

Re: Splunk timestamp offset GMT

isoutamo — Thu, 12 Nov 2020 05:38:36 GMT

From where you are collecting those files (same TZ than splunk indexers are or from an UF which TZ is UTC-5)? As @richgalloway said splunk indexers use GMT as internal time when they are storing events. But this information comes from event or from UF if events' have any timezone information. So if you are using UF and those are in TZ=UTC-5 then you must put that information to your inputs.conf on UF.
r. Ismo

Re: Splunk timestamp offset GMT

SFOTC — Thu, 12 Nov 2020 15:41:28 GMT

Thanks, we are a little closer to what we need, but I'm not sure if Splunk can do this.

Our event times are in: YY-DOY-HH:MM:SS (example: 20-316-23:16:36.36)

The above example relates to a date of: 11/11/20 7:16.36pm (a time of 00:00:00 represents 8:00PM and a rollover of the next day). Can Splunk handle a format like this?

Re: Splunk timestamp offset GMT

isoutamo — Thu, 12 Nov 2020 17:35:04 GMT

You should try time format as "%y-%j-%H:%M:%S" and probably the correct time zone from inputs.conf if it isn't in time string.

https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Commontimeformatvariables

r. Ismo

Re: Splunk timestamp offset GMT

burwell — Thu, 12 Nov 2020 18:35:03 GMT

Can you provide exact props and exact sample event?