Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to change the time format before or while logs are being parsed?

Makinde
New Member
‎06-07-2016 11:01 AM

I have a database log that comes in with a time stamp which is used by Splunk as the time stamp. However, I noticed the time is in UTC which is neither my time zone nor the time zone the server is in, but somehow the Database admin can't change the time reported in the raw log.

Is there a way to have Splunk convert the time to MST or its own time zone that matches that of my other logs? Can I put this in the props.conf file so it's done on the indexers before the logs are searched?

What command/string can I put in the props.conf file to make this change?

Thanks,

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎06-07-2016 11:37 AM

There is no reason to do this. Splunk internally normalizes all times to UTC anyway. Furthermore, it re-normalizes them to your configured user Time zone setting whenever you interact with Splunk. Therefore, as long as you have configured TZ correctly in props.conf and also your Edit Account -> Time zone setting, everything should be handled seamlessly as you would like it to.

View solution in original post

Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎06-07-2016 11:37 AM

There is no reason to do this. Splunk internally normalizes all times to UTC anyway. Furthermore, it re-normalizes them to your configured user Time zone setting whenever you interact with Splunk. Therefore, as long as you have configured TZ correctly in props.conf and also your Edit Account -> Time zone setting, everything should be handled seamlessly as you would like it to.

Reply
Solved! Jump to solution

Makinde
New Member
‎06-07-2016 01:42 PM

How do you configure TZ in Props, is it;

TZ = US/Mountain

Can I also get Splunk to ignore the time stamp in the log and use the time it received the log as the time stamp?

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎06-07-2016 10:14 PM

That setting is correctly formatted but keep in mind that it does not CHANGE anything, it informs the indexer what TZ to apply to the time found inside those events (if there is no TZ attached to the timestamp inside the event). You can get Splunk to use _indextime as the timestamp with this:

DATETIME_CONFIG = CURRENT
0 Karma
Reply
Solved! Jump to solution

Makinde
New Member
‎06-08-2016 01:42 PM

Thanks Woodcock.

After looking at the logs, it appears there is no TZ attached to the timestamp. Here is what the timestamp in the log look like;

2016-06-08T18:01:36.293126Z

Looking at this setting, do you think I need to add "TZ = UTC" to the props.conf file?

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎06-08-2016 10:33 PM

I think that Z is probably Zulu which means GMT (UTC). You should use this (with no TZ config):

TIME_FORMAT = %Y-%m-%dT%H:%M:%S%6N%z
TZ_ALIAS = Z=UTC
0 Karma
Reply
Get Updates on the Splunk Community!

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...