Getting Data In
Highlighted

How to change the time format before or while logs are being parsed?

New Member

I have a database log that comes in with a time stamp which is used by Splunk as the time stamp. However, I noticed the time is in UTC which is neither my time zone nor the time zone the server is in, but somehow the Database admin can't change the time reported in the raw log.

Is there a way to have Splunk convert the time to MST or its own time zone that matches that of my other logs? Can I put this in the props.conf file so it's done on the indexers before the logs are searched?

What command/string can I put in the props.conf file to make this change?

Thanks,

0 Karma
Highlighted

Re: How to change the time format before or while logs are being parsed?

Esteemed Legend

There is no reason to do this. Splunk internally normalizes all times to UTC anyway. Furthermore, it re-normalizes them to your configured user Time zone setting whenever you interact with Splunk. Therefore, as long as you have configured TZ correctly in props.conf and also your Edit Account -> Time zone setting, everything should be handled seamlessly as you would like it to.

View solution in original post

Highlighted

Re: How to change the time format before or while logs are being parsed?

New Member

How do you configure TZ in Props, is it;

TZ = US/Mountain

Can I also get Splunk to ignore the time stamp in the log and use the time it received the log as the time stamp?

0 Karma
Highlighted

Re: How to change the time format before or while logs are being parsed?

Esteemed Legend

That setting is correctly formatted but keep in mind that it does not CHANGE anything, it informs the indexer what TZ to apply to the time found inside those events (if there is no TZ attached to the timestamp inside the event). You can get Splunk to use _indextime as the timestamp with this:

DATETIME_CONFIG = CURRENT
0 Karma
Highlighted

Re: How to change the time format before or while logs are being parsed?

New Member

Thanks Woodcock.

After looking at the logs, it appears there is no TZ attached to the timestamp. Here is what the timestamp in the log look like;

2016-06-08T18:01:36.293126Z

Looking at this setting, do you think I need to add "TZ = UTC" to the props.conf file?

0 Karma
Highlighted

Re: How to change the time format before or while logs are being parsed?

Esteemed Legend

I think that Z is probably Zulu which means GMT (UTC). You should use this (with no TZ config):

TIME_FORMAT = %Y-%m-%dT%H:%M:%S%6N%z
TZ_ALIAS = Z=UTC
0 Karma