How to make the time columns displayed on Splunk m...

mutiaratambunan · ‎04-06-2018

Hi, I'm a newbie here need some guide...

I have this kind of rawtext :
2018 Apr 6 15:15:03:735 GMT +0700 BW.NISP_JDBC_SIBS_Gateway-1-NISP_JDBC_SIBS_Gateway-18-6 User [BW-User] TraceFlagTrue Job-6000 [NISP_JDBC_SIBS_Gateway/ProcessDefinition.process/Group/LogAfter]: Error148

When the data is forwarded to the Splunk server and search by it index, it was displayed the Time colum on this kind of format :
4/6/18 10:15:03.735 PM.

I've already tried to change it by modifying the ...\SplunkUniversalForwarder\etc\apps\learned\local\props.conf but still the Time Column not affected. I Change it like this :
[BIsaGila-too_small]
TIME_PREFIX = ^
MAX_TIMESTAMP_LOOKAHEAD = 24
TIME_FORMAT=%Y %b %d %H:%M:%S:%3N
PREFIX_SOURCETYPE = True
SHOULD_LINEMERGE = False
LINE_BREAKER = ([\r\n]+)
TRUNCATE = 999999
NO_BINARY_CHECK = true
TZ = UTC
is_valid = True
maxDist = 9999

Please help me.

Thanks

robgora_deloitt · ‎04-06-2018

So your time zones are off on your data? Then you need to set a props.conf on the indexer and specify the time zone based on the host or on the source type.

https://docs.splunk.com/Documentation/Splunk/7.0.3/Data/Applytimezoneoffsetstotimestamps

Following are some examples of how to specify time zones in props.conf.

In the first example, events come into the indexer from New York City (in the US/Eastern time zone) and Mountain View, California (US/Pacific). To correctly handle the timestamps for these two sets of events, the props.conf for the indexer needs the time zone to be specified as US/Eastern and US/Pacific, respectively.

The first example sets the time zone to US/Eastern for any events coming from hosts whose names match the regular expression nyc.*:

[host::nyc*]
TZ = US/Eastern
The second example sets the time zone to US/Pacific for any events coming from sources in the path /mnt/ca/...:

[source::/mnt/ca/...]
TZ = US/Pacific

FrankVl · ‎04-06-2018

2 questions:

why would you want to set TZ = UTC if the log reports in GMT+0700
what exactly is your issue? Do you think something is wrong with the time value displayed in Splunk, or with the format of how it is displayed?

mutiaratambunan · ‎04-10-2018

To be honest I do not know how its configuration should be done, I follow someone who seems to experience something similar to me https://answers.splunk.com/answers/555414/how-to-edit-propsconf-to-ignore-timezone-informati. html
My Issue is, on the splunk web server, when I'm searching data, the Time column displayed GMT + 7, is not match with the raw data. On the raw data its --> 2018 Apr 10 15:42:03:735 GMT +0700 Test22, but on time column it was displayed 4/10/18 10:42:03.735 PM, it was not right. And I still cannot solve it out.

FrankVl · ‎04-10-2018

What is your Splunk webinterface set to, timezone wise? (see your account settings)

The time displayed by Splunk will always differ from the timestamp in the raw event, if the timezone of the event is different from the timezone you use to view Splunk. Splunk will present the time value in your timezone, regardless of the timezone in the raw event.

Assuming you view Splunk in GMT+7
You ingest data with 2018 Apr 10 15:42:03:735 GMT +0700
You tell splunk that data is in UTC timezone (which it isn't)
Splunk will interpret the timestamp from the raw event as UTC (GMT) timezone and then add 7h to calculate the time value that Splunk displays to you (assuming you have Splunk web interface set to show in GMT+7). This results in a time value of 4/10/18 10:42:03.735 PM

So unless there is something more at hand, I think you need to simply make sure splunk interprets the timestamps in your events correctly. So either set the TZ to the correct value, or update the TIME_FORMAT setting to also read the timezone from the event.

p_gurav · ‎04-06-2018

Can you try putting props.conf on indexer?

sarvan7777 · ‎04-06-2018

I think you can use the strptime function to convert your time filed value to any desired format.

mutiaratambunan · ‎04-06-2018

Do you mean by indexer on the Splunk Server? Where should I put it?

p_gurav · ‎04-06-2018

you can put it in Splunk\etc\system\local or in Splunk\etc\apps\your_app\local direactory.

p_gurav · ‎04-06-2018

This may help:

https://answers.splunk.com/answers/10265/change-default-web-ui-locale.html

mutiaratambunan · ‎04-10-2018

Hi Gurav ... I've changed the props.conf on the server settings /opt/splunk/etc/apps/MyApps/default/props.conf, the place matches the configuration of the index I'm using.

When I test it in the morning with this setting

TIME_PREFIX = ^
TIME_FORMAT = %Y %b %d %H:%M:%S:%3N

MAX_TIMESTAMP_LOOKAHEAD = 24

When I search it from splunk web, the Time column displayed in a correct time :
Time Column --> 4/10/18 9:38:03.735 AM
Raw Data --> 2018 Apr 10 09:38:03:735 GMT +0700 BW.NISP_JDBC_SIBS_Gateway-1-NISP_JDBC_SIBS_Gateway-18-6 User [BW-User] TraceFlagTrue Job-6000 [NISP_JDBC_SIBS_Gateway/ProcessDefinition.process/Group/LogAfter]: Error150 2018 Apr 6 15:16:03:735 HARJA4

But when I test it after 12 on the afternoon, the hours on Time column on splunk web displayed +7.
Help me here...

How to make the time columns displayed on Splunk match those in the raw data

When I test it in the morning with this setting

MAX_TIMESTAMP_LOOKAHEAD = 24

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes