Getting metrics timestamp in future

Getting Data In

Hello, I am trying to get metrics from RouterOS using scripting (logs are forwarded using UDP)

I end up with all timestamps 3 hours in the future (tried adding TZ = GMT, didn't help)

I created a custom format like this: `script, debug <TIMESTAMP> metric_name=firewall_rule <OTHER.DIMS..> packets=100 bytes = 11`

Example:

script, debug aug/01/2020 17:35:14 +03:00:00 metric_name=firewall_rule rule=dummy bytes=12345 packet=40

I also tried doing

| makeresults | eval test=strptime("aug/01/2020 17:35:14 +03:00:00", "%b/%d/%Y %T %::z")

And I get correct UNIX timestamp in query results

transforms.conf

[metric-schema:log2metrics_mikrotik_keyvalue]
METRIC-SCHEMA-MEASURES-firewall_rule = packets, bytes

props.conf

[log2metrics_mikrotik_keyvalue]
DATETIME_CONFIG = 
LINE_BREAKER = ([\r\n]+)
METRIC-SCHEMA-TRANSFORMS = metric-schema:log2metrics_mikrotik_keyvalue
NO_BINARY_CHECK = true
TRANSFORMS-EXTRACT = field_extraction
category = Metrics
pulldown_type = 1
# RouterOS
# mmm/dd/yyyy HH:MM:SS [+-]TZHH:TZMM:TZSS
TIME_FORMAT = %b/%d/%Y %T %::z
TZ = GMT
disabled = false
SHOULD_LINEMERGE = false
BREAK_ONLY_BEFORE_DATE = 
PREAMBLE_REGEX = script,debug

Get Updates on the Splunk Community!

From Alert to Resolution: How Splunk Observability Helps SREs Navigate Critical ...

It's 3:17 AM, and your phone buzzes with an urgent alert. Wire transfer processing times have spiked, and ...

ATTENTION!! We’re MOVING (not really)

Hey, all! In an effort to keep this Slack workspace secure and also to make our new members' experience easy, ...

Splunk Admins: Build a Smarter Stack with These Must-See .conf25 Sessions

Whether you're running a complex Splunk deployment or just getting your bearings as a new admin, .conf25 ...

Are you a member of the Splunk Community?