https://community.splunk.com/t5/Splunk-Search/Time-Stamp-Question/m-p/191210#M187186 <P>Try using this a TIME_FORMAT in props.conf</P> <PRE><CODE>TIME_FORMAT = %Y %b %d %H:%M:%S:%3Q %Z %z </CODE></PRE> Mon, 17 Mar 2014 17:25:29 GMT somesoni2 2014-03-17T17:25:29Z https://community.splunk.com/t5/Splunk-Search/Time-Stamp-Question/m-p/191208#M187184 <P>Quick question, is Splunk supposed to be able to understand a time stamp string like this;</P> <PRE><CODE>2014 Mar 14 20:51:10:981 GMT -7 </CODE></PRE> <P>It seems to not understand the "-7" part. The raw data is showing up as simply GMT time.</P> Mon, 17 Mar 2014 16:36:44 GMT https://community.splunk.com/t5/Splunk-Search/Time-Stamp-Question/m-p/191208#M187184 OldManEd 2014-03-17T16:36:44Z https://community.splunk.com/t5/Splunk-Search/Time-Stamp-Question/m-p/191209#M187185 <P>That is a non-standard timestamp. A more standard format would be "2014 Mar 14 20:51:10.981-0700". Splunk can be taught to parse your dates, however, by modifying the props.conf file. See <A href="http://answers.splunk.com/answers/4176/splunk-time-stamp-error">http://answers.splunk.com/answers/4176/splunk-time-stamp-error</A>.</P> Mon, 17 Mar 2014 17:18:20 GMT https://community.splunk.com/t5/Splunk-Search/Time-Stamp-Question/m-p/191209#M187185 richgalloway 2014-03-17T17:18:20Z https://community.splunk.com/t5/Splunk-Search/Time-Stamp-Question/m-p/191210#M187186 <P>Try using this a TIME_FORMAT in props.conf</P> <PRE><CODE>TIME_FORMAT = %Y %b %d %H:%M:%S:%3Q %Z %z </CODE></PRE> Mon, 17 Mar 2014 17:25:29 GMT https://community.splunk.com/t5/Splunk-Search/Time-Stamp-Question/m-p/191210#M187186 somesoni2 2014-03-17T17:25:29Z https://community.splunk.com/t5/Splunk-Search/Time-Stamp-Question/m-p/191211#M187187 <P>My confusion is if altering the props.conf file will override the GMT stamp in the source data. I ~thought~ that if Splunk saw a timezone in the source data, it would take that information first over the props.conf file. I assume I'm wrong on this one and that would be a good thing.</P> Mon, 17 Mar 2014 17:29:56 GMT https://community.splunk.com/t5/Splunk-Search/Time-Stamp-Question/m-p/191211#M187187 OldManEd 2014-03-17T17:29:56Z https://community.splunk.com/t5/Splunk-Search/Time-Stamp-Question/m-p/191212#M187188 <P>As per documentation, it will use TZ from raw data first, if available. (props.conf documentation)</P> <P>TZ = <TIMEZONE identifier=""><BR /> * The algorithm for determining the time zone for a particular event is as follows:<BR /> * If the event has a timezone in its raw text (for example, UTC, -08:00), use that.<BR /> * If TZ is set to a valid timezone string, use that.<BR /> * If the event was forwarded, and the forwarder-indexer connection is using the<BR /> 6.0+ forwarding protocol, use the timezone provided by the forwarder.<BR /> * Otherwise, use the timezone of the system that is running splunkd.</TIMEZONE></P> Mon, 17 Mar 2014 19:33:19 GMT https://community.splunk.com/t5/Splunk-Search/Time-Stamp-Question/m-p/191212#M187188 somesoni2 2014-03-17T19:33:19Z https://community.splunk.com/t5/Splunk-Search/Time-Stamp-Question/m-p/191213#M187189 <P>So, in my case, with the raw data showing </P> <P>2014 Mar 14 20:51:10:981 GMT -7</P> <P>I'm hosed unless I can get the user to change his logging format, correct?</P> Mon, 17 Mar 2014 20:41:59 GMT https://community.splunk.com/t5/Splunk-Search/Time-Stamp-Question/m-p/191213#M187189 OldManEd 2014-03-17T20:41:59Z https://community.splunk.com/t5/Splunk-Search/Time-Stamp-Question/m-p/191214#M187190 <P>Splunk can identify timezone by itself if its in standard format. Since your logs have custom timestamp, You need to specify TIME_FORMAT attribute to enable Splunk to identify the location of timezone in your logs. ("%Z %Z" part). You can specify TZ attribute in case the logs will miss timezone part (in that case it will take the timezone from the TZ attribute).</P> Mon, 17 Mar 2014 21:13:00 GMT https://community.splunk.com/t5/Splunk-Search/Time-Stamp-Question/m-p/191214#M187190 somesoni2 2014-03-17T21:13:00Z