I have a database log that comes in with a time stamp which is used by Splunk as the time stamp. However, I noticed the time is in UTC which is neither my time zone nor the time zone the server is in, but somehow the Database admin can't change the time reported in the raw log.
Is there a way to have Splunk convert the time to MST or its own time zone that matches that of my other logs? Can I put this in the props.conf file so it's done on the indexers before the logs are searched?
What command/string can I put in the props.conf file to make this change?
There is no reason to do this. Splunk internally normalizes all times to UTC anyway. Furthermore, it re-normalizes them to your configured user
Time zone setting whenever you interact with Splunk. Therefore, as long as you have configured
TZ correctly in
props.conf and also your
Edit Account ->
Time zone setting, everything should be handled seamlessly as you would like it to.
How do you configure TZ in Props, is it;
TZ = US/Mountain
Can I also get Splunk to ignore the time stamp in the log and use the time it received the log as the time stamp?
That setting is correctly formatted but keep in mind that it does not CHANGE anything, it informs the indexer what TZ to apply to the time found inside those events (if there is no TZ attached to the timestamp inside the event). You can get Splunk to use
_indextime as the timestamp with this:
DATETIME_CONFIG = CURRENT
After looking at the logs, it appears there is no TZ attached to the timestamp. Here is what the timestamp in the log look like;
Looking at this setting, do you think I need to add "TZ = UTC" to the props.conf file?
I think that
Z is probably
Zulu which means
UTC). You should use this (with no TZ config):
TIME_FORMAT = %Y-%m-%dT%H:%M:%S%6N%z TZ_ALIAS = Z=UTC