Help with props.conf to detect timestamp

power12 · ‎04-18-2022

Hello Splunkers,

I have the following raw event.It was parsing with correct date and time until the daylight saving started but after march 13th(daylight saving started) I see one hour mismatch..what changes should I make on props.conf to show the correct time?

3/13/22
11:59:59.989 PM

2022-03-13 22:59:59,989 |v144031v~212657|*** conn[SSL/TLS]=103 CLIENT(1.1.2.2:23) disconnected.

Thanks in Advance

sperkins · ‎04-21-2022

You can set your Timezone in props.conf

example:

[host::nyc*]
TZ = US/Eastern

https://docs.splunk.com/Documentation/Splunk/latest/Data/Applytimezoneoffsetstotimestamps

isoutamo · ‎04-21-2022

I have seen that there are still some e.g. network equipments which needs reboot after summer/normal time has changed. But as @PickleRick said you should try to get TZ information on source side into events. Then there shouldn't be any issues with it especially when source system and splunk indexer/heavy forwarder are in different time zone!

r. Ismo

PickleRick · ‎04-18-2022

Ideally, you should have timezone information within the timestamp. Otherwise, if you know timezone the timestamp is reported in (and it's not prone to change with daylight saving), you can set the timezone explicitly for the given source or sourcetype.

Help with props.conf to detect timestamp

props.conf

Monitoring Amazon Elastic Kubernetes Service (EKS)

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

Explore the Latest Educational Offerings from Splunk (November Releases)