Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Can you help me do a timezone conversion for the following events?

krusovice
Path Finder
‎12-13-2018 07:33 PM

Dear all,

I am kind of confused by the timezone offset setting in props.conf.

My scenario is like this:
Log file is with GMT +8 timestamp, let say now is 10:00 AM.
TZ setting in props.conf is TZ=UTC (GMT+0), let say the now is 02:00 AM
User setting for timezone is GMT

When I've tested to ingest the data, and perform a search for 15min data at 10.00AM, I can only found data at 2:00AM.

When I search data for all time, I can get the data at 10:00AM.

Anyone can help to clear my confusion?

Tags (1)
0 Karma
Reply

sdchakraborty
Contributor
‎12-13-2018 09:40 PM

Hi,

This is what is found in props.conf documentation,

TZ =
* The algorithm for determining the time zone for a particular event is as
follows:

  • If the event has a timezone in its raw text (for example, UTC, -08:00), use that.
  • If TZ is set to a valid timezone string, use that.
  • If the event was forwarded, and the forwarder-indexer connection is using the 6.0+ forwarding protocol, use the timezone provided by the forwarder.
  • Otherwise, use the timezone of the system that is running splunkd.
  • Defaults to empty.

as you have TZ configuration set to GMT thats why you are getting 2 AM data.

0 Karma
Reply

krusovice
Path Finder
‎12-13-2018 10:16 PM

Thanks for the reply. I'm confused in how Splunk reading the time when the TZ setting is earlier than actual log timestamp (in this case, log is 10AM, but I want Splunk to index the time as 2AM as UTC time).

0 Karma
Reply

inventsekar
SplunkTrust
SplunkTrust
‎12-13-2018 09:33 PM

Log file is with GMT +8 timestamp, let say now is 10:00 AM.
TZ setting in props.conf is TZ=UTC (GMT+0), let say the now is 02:00 AM

Hi.. Any reasons why props is having GMT+0.. why not use GMT+8 itself ?!?!

When I've tested to ingest the data, and perform a search for 15min data at 10.00AM, I can only found data at 2:00AM. When I search data for all time, I can get the data at 10:00AM.

on your search query, try to get _indextime and try to print both _time and _indextime.. that may clear your confusion, i think.

0 Karma
Reply

krusovice
Path Finder
‎12-13-2018 10:14 PM

The reason of setting TZ=UTC is because this is global application, there is another same instance based in Europe. I've tried to print both _time and _indextime using this query, found more horrible result. The indextime is 8 hour earlier than _time (_time is 2am, indextime is 6pm a day earlier)

index=* source=*
| eval indextime=_indextime
| stats values(source) by indextime _time
| eval time_gap=indextime - _time, indextime=strftime(indextime, "%y/%m/%d %H:%M:%S")
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...