Dear all,
I am kind of confused by the timezone offset setting in props.conf.
My scenario is like this:
Log file is with GMT +8 timestamp, let say now is 10:00 AM.
TZ setting in props.conf is TZ=UTC (GMT+0), let say the now is 02:00 AM
User setting for timezone is GMT
When I've tested to ingest the data, and perform a search for 15min data at 10.00AM, I can only found data at 2:00AM.
When I search data for all time, I can get the data at 10:00AM.
Anyone can help to clear my confusion?
Hi,
This is what is found in props.conf documentation,
TZ =
* The algorithm for determining the time zone for a particular event is as
follows:
as you have TZ configuration set to GMT thats why you are getting 2 AM data.
Thanks for the reply. I'm confused in how Splunk reading the time when the TZ setting is earlier than actual log timestamp (in this case, log is 10AM, but I want Splunk to index the time as 2AM as UTC time).
Log file is with GMT +8 timestamp, let say now is 10:00 AM.
TZ setting in props.conf is TZ=UTC (GMT+0), let say the now is 02:00 AM
Hi.. Any reasons why props is having GMT+0.. why not use GMT+8 itself ?!?!
When I've tested to ingest the data, and perform a search for 15min data at 10.00AM, I can only found data at 2:00AM. When I search data for all time, I can get the data at 10:00AM.
on your search query, try to get _indextime
and try to print both _time
and _indextime
.. that may clear your confusion, i think.
The reason of setting TZ=UTC is because this is global application, there is another same instance based in Europe. I've tried to print both _time and _indextime using this query, found more horrible result. The indextime is 8 hour earlier than _time (_time is 2am, indextime is 6pm a day earlier)
index=* source=*
| eval indextime=_indextime
| stats values(source) by indextime _time
| eval time_gap=indextime - _time, indextime=strftime(indextime, "%y/%m/%d %H:%M:%S")