Getting Data In

Can you help me do a timezone conversion for the following events?

krusovice
Path Finder

Dear all,

I am kind of confused by the timezone offset setting in props.conf.

My scenario is like this:
Log file is with GMT +8 timestamp, let say now is 10:00 AM.
TZ setting in props.conf is TZ=UTC (GMT+0), let say the now is 02:00 AM
User setting for timezone is GMT

When I've tested to ingest the data, and perform a search for 15min data at 10.00AM, I can only found data at 2:00AM.

When I search data for all time, I can get the data at 10:00AM.

Anyone can help to clear my confusion?

Tags (1)
0 Karma

sdchakraborty
Contributor

Hi,

This is what is found in props.conf documentation,

TZ =
* The algorithm for determining the time zone for a particular event is as
follows:

  • If the event has a timezone in its raw text (for example, UTC, -08:00), use that.
  • If TZ is set to a valid timezone string, use that.
  • If the event was forwarded, and the forwarder-indexer connection is using the 6.0+ forwarding protocol, use the timezone provided by the forwarder.
  • Otherwise, use the timezone of the system that is running splunkd.
  • Defaults to empty.

as you have TZ configuration set to GMT thats why you are getting 2 AM data.

0 Karma

krusovice
Path Finder

Thanks for the reply. I'm confused in how Splunk reading the time when the TZ setting is earlier than actual log timestamp (in this case, log is 10AM, but I want Splunk to index the time as 2AM as UTC time).

0 Karma

inventsekar
Super Champion

Log file is with GMT +8 timestamp, let say now is 10:00 AM.
TZ setting in props.conf is TZ=UTC (GMT+0), let say the now is 02:00 AM

Hi.. Any reasons why props is having GMT+0.. why not use GMT+8 itself ?!?!

When I've tested to ingest the data, and perform a search for 15min data at 10.00AM, I can only found data at 2:00AM. When I search data for all time, I can get the data at 10:00AM.

on your search query, try to get _indextime and try to print both _time and _indextime.. that may clear your confusion, i think.

PS ... If any post helped you in any way, pls give a hi-five to the author with an upvote. if your issue got resolved, please accept the reply as solution.. thanks.
0 Karma

krusovice
Path Finder

The reason of setting TZ=UTC is because this is global application, there is another same instance based in Europe. I've tried to print both _time and _indextime using this query, found more horrible result. The indextime is 8 hour earlier than _time (_time is 2am, indextime is 6pm a day earlier)

index=* source=*
| eval indextime=_indextime
| stats values(source) by indextime _time
| eval time_gap=indextime - _time, indextime=strftime(indextime, "%y/%m/%d %H:%M:%S")
0 Karma
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...