Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I control the trace line _time field

avitallange
Explorer
‎08-29-2013 03:49 AM

I have a log file with traces of the format:
[source name] [level] [id]: [Time] [trace message]

Splunk auto identifies the _time field and indexes my trace log according to it.

The problem is that this time is a UTC representation and Splunk identifies it as some other timezone. (my user timezone is configured to GMT)

Example:
The original trace line:
TestTraceSource Information: 0 : Time: 08/29/2013 10:16:52, message . . .

Is indexed as:
_time: 08/29/2013 07:16:52


Trace: TestTraceSource Information: 0 : Time: 08/29/2013 10:16:52, message . . .

Regards,
Avital

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kristian_kolb
Ultra Champion
‎08-29-2013 04:01 AM

_time is normally the parsed timestamp from a message, and it is adjusted for timezone.

If for some reason Splunk has got the wrong timezone set for a particular input, this can be corrected/specified in props.conf

[spec]
TZ = UTC

will instruct splunk to treat events of type spec as being in the UTC timezone. spec can be one of either sourcetype, source::your_source_name or host::your_host.

See the following docs for more info;

http://wiki.splunk.com/Where_do_I_configure_my_Splunk_settings
http://docs.splunk.com/Documentation/Splunk/latest/Admin/Propsconf
http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles

/K

View solution in original post

Reply
Solved! Jump to solution
Solution

kristian_kolb
Ultra Champion
‎08-29-2013 04:01 AM

_time is normally the parsed timestamp from a message, and it is adjusted for timezone.

If for some reason Splunk has got the wrong timezone set for a particular input, this can be corrected/specified in props.conf

[spec]
TZ = UTC

will instruct splunk to treat events of type spec as being in the UTC timezone. spec can be one of either sourcetype, source::your_source_name or host::your_host.

See the following docs for more info;

http://wiki.splunk.com/Where_do_I_configure_my_Splunk_settings
http://docs.splunk.com/Documentation/Splunk/latest/Admin/Propsconf
http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles

/K

Reply
Get Updates on the Splunk Community!

OpenTelemetry for Legacy Apps? Yes, You Can!

This article is a follow-up to my previous article posted on the OpenTelemetry Blog, "Your Critical Legacy App ...

UCC Framework: Discover Developer Toolkit for Building Technology Add-ons

The Next-Gen Toolkit for Splunk Technology Add-on Development The Universal Configuration Console (UCC) ...

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...