Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Can you help me do a timezone conversion for the following events?

krusovice
Path Finder
‎12-13-2018 07:33 PM

Dear all,

I am kind of confused by the timezone offset setting in props.conf.

My scenario is like this:
Log file is with GMT +8 timestamp, let say now is 10:00 AM.
TZ setting in props.conf is TZ=UTC (GMT+0), let say the now is 02:00 AM
User setting for timezone is GMT

When I've tested to ingest the data, and perform a search for 15min data at 10.00AM, I can only found data at 2:00AM.

When I search data for all time, I can get the data at 10:00AM.

Anyone can help to clear my confusion?

Tags (1)
0 Karma
Reply

sdchakraborty
Contributor
‎12-13-2018 09:40 PM

Hi,

This is what is found in props.conf documentation,

TZ =
* The algorithm for determining the time zone for a particular event is as
follows:

  • If the event has a timezone in its raw text (for example, UTC, -08:00), use that.
  • If TZ is set to a valid timezone string, use that.
  • If the event was forwarded, and the forwarder-indexer connection is using the 6.0+ forwarding protocol, use the timezone provided by the forwarder.
  • Otherwise, use the timezone of the system that is running splunkd.
  • Defaults to empty.

as you have TZ configuration set to GMT thats why you are getting 2 AM data.

0 Karma
Reply

krusovice
Path Finder
‎12-13-2018 10:16 PM

Thanks for the reply. I'm confused in how Splunk reading the time when the TZ setting is earlier than actual log timestamp (in this case, log is 10AM, but I want Splunk to index the time as 2AM as UTC time).

0 Karma
Reply

inventsekar
SplunkTrust
SplunkTrust
‎12-13-2018 09:33 PM

Log file is with GMT +8 timestamp, let say now is 10:00 AM.
TZ setting in props.conf is TZ=UTC (GMT+0), let say the now is 02:00 AM

Hi.. Any reasons why props is having GMT+0.. why not use GMT+8 itself ?!?!

When I've tested to ingest the data, and perform a search for 15min data at 10.00AM, I can only found data at 2:00AM. When I search data for all time, I can get the data at 10:00AM.

on your search query, try to get _indextime and try to print both _time and _indextime.. that may clear your confusion, i think.

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma
Reply

krusovice
Path Finder
‎12-13-2018 10:14 PM

The reason of setting TZ=UTC is because this is global application, there is another same instance based in Europe. I've tried to print both _time and _indextime using this query, found more horrible result. The indextime is 8 hour earlier than _time (_time is 2am, indextime is 6pm a day earlier)

index=* source=*
| eval indextime=_indextime
| stats values(source) by indextime _time
| eval time_gap=indextime - _time, indextime=strftime(indextime, "%y/%m/%d %H:%M:%S")
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...

Introduction to Splunk AI

How are you using AI in Splunk? Whether you see AI as a threat or opportunity, AI is here to stay. Lucky for ...