https://community.splunk.com/t5/Splunk-Search/Time-Stamp-Help/m-p/696321#M236664 <P>There seems to be probably TZ issue with some other issues with your ingestion phase. If I recall right TZ are +/- 1h or x.5h difference with local time and UTC time. But your time difference didn’t match that.</P><P>You must get your correct props.conf and also raw source event before it was ingested into splunk. With those we could help you.</P> Wed, 14 Aug 2024 21:17:20 GMT isoutamo 2024-08-14T21:17:20Z https://community.splunk.com/t5/Splunk-Search/Time-Stamp-Help/m-p/696307#M236657 <P><BR />Hello, I have time stamps that are not matching. How do I table the actual "Event log time stamp" ?</P><P>&nbsp;</P><TABLE width="866"><TBODY><TR><TD width="142.926px" height="46px">Splunk Time stamp</TD><TD width="722.159px" height="46px">Event log time stamp</TD></TR><TR><TD width="142.926px" height="61px"><SPAN>8/14/24<BR />4:29:21.000 AM</SPAN></TD><TD width="722.159px" height="61px"><P><BR />2024-08-13 17:49:23,006 [https-mmme-nio-1111-exec-2] ERROR</P></TD></TR></TBODY></TABLE> Wed, 14 Aug 2024 19:44:42 GMT https://community.splunk.com/t5/Splunk-Search/Time-Stamp-Help/m-p/696307#M236657 kc_prane 2024-08-14T19:44:42Z https://community.splunk.com/t5/Splunk-Search/Time-Stamp-Help/m-p/696310#M236659 <P>What you have on raw event and how you have define timestamp extraction on props.conf?</P> Wed, 14 Aug 2024 19:49:32 GMT https://community.splunk.com/t5/Splunk-Search/Time-Stamp-Help/m-p/696310#M236659 isoutamo 2024-08-14T19:49:32Z https://community.splunk.com/t5/Splunk-Search/Time-Stamp-Help/m-p/696315#M236661 <P>Hi&nbsp; @<SPAN>isoutamo,&nbsp;</SPAN> The below is the raw event. I dont have access to props.conf. so just wanted to extract the time stamp from the raw event.</P><P><SPAN>2024-08-13 17:49:23,006 [https-mmme-nio-1111-exec-2] ERROR</SPAN></P><P>&nbsp;</P> Wed, 14 Aug 2024 20:18:04 GMT https://community.splunk.com/t5/Splunk-Search/Time-Stamp-Help/m-p/696315#M236661 kc_prane 2024-08-14T20:18:04Z https://community.splunk.com/t5/Splunk-Search/Time-Stamp-Help/m-p/696317#M236662 <P>I indexed this log in a new sourcetype on a test machine in the GMT+2 timezone, and the timestamp seems to have extracted properly. We would need to know what your timestamp settings in props.conf are to find out where the timestamp extraction is going wrong.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="marnall_0-1723667418941.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/32218i4CAB5285064993D6/image-size/medium?v=v2&amp;px=400" role="button" title="marnall_0-1723667418941.png" alt="marnall_0-1723667418941.png" /></span></P><P>&nbsp;</P> Wed, 14 Aug 2024 20:31:12 GMT https://community.splunk.com/t5/Splunk-Search/Time-Stamp-Help/m-p/696317#M236662 marnall 2024-08-14T20:31:12Z https://community.splunk.com/t5/Splunk-Search/Time-Stamp-Help/m-p/696321#M236664 <P>There seems to be probably TZ issue with some other issues with your ingestion phase. If I recall right TZ are +/- 1h or x.5h difference with local time and UTC time. But your time difference didn’t match that.</P><P>You must get your correct props.conf and also raw source event before it was ingested into splunk. With those we could help you.</P> Wed, 14 Aug 2024 21:17:20 GMT https://community.splunk.com/t5/Splunk-Search/Time-Stamp-Help/m-p/696321#M236664 isoutamo 2024-08-14T21:17:20Z https://community.splunk.com/t5/Splunk-Search/Time-Stamp-Help/m-p/696347#M236671 <BLOCKQUOTE><HR />Hi&nbsp; @<SPAN>isoutamo,&nbsp;</SPAN> The below is the raw event. I dont have access to props.conf. so just wanted to extract<HR /></BLOCKQUOTE><P>You do not need direct access to props.conf. &nbsp;Just use Splunk Web's Settings -&gt; Source Types interface. &nbsp;There are two menus where you can customize your timestamp handling, Timestamp and Advanced.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="sourcetype-timestamp.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/32224i4C506A323ABAB551/image-size/medium?v=v2&amp;px=400" role="button" title="sourcetype-timestamp.png" alt="sourcetype-timestamp.png" /></span></P><P> </P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="sourcetype-advanced.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/32225i539ED80FBB5ECD65/image-size/medium?v=v2&amp;px=400" role="button" title="sourcetype-advanced.png" alt="sourcetype-advanced.png" /></span></P><P>As&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/214410">@isoutamo</a>&nbsp;says, your problem might not be in Splunk's time extraction; instead, the apparent difference could be in time zone. &nbsp;If this is not the case, the best cause of action is to correct time extraction. &nbsp;Search time correction should only be used as the last resort. &nbsp;It can be done, of course.</P><LI-CODE lang="markup">| rex "^(?&lt;timestamp&gt;\S+ \S+)" | eval _time = strptime(timestamp, "%F %T,%3N")</LI-CODE><P>The big problem with search time adjustment of an essential datapoint such as _time is that you lose precision when trying to set index search interval.</P> Thu, 15 Aug 2024 06:00:47 GMT https://community.splunk.com/t5/Splunk-Search/Time-Stamp-Help/m-p/696347#M236671 yuanliu 2024-08-15T06:00:47Z