Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Incorrect time extraction

ivan123357
Explorer
‎12-12-2023 08:11 AM

Hi!

I received an event with the following time string:  2023-12-12T13:39:25.400399Z CEF:0.....

This time is already in the correct timezone, but because of Z, splunk adds to 5 hours. I understand that Z it is timezone indicator but how i can ignore it?

Flow of this event is : Source --> HF --> Indexers. On HF or Indexers i dont have any props or transoforms settings. On Search Heads I extract a few fields from this event and it works. But i can't to extract this time correctly without Z.

I put the following regex inside props.conf on my SHs. Also i tried to put this on indexer's props.conf:

 

TIME_PREFIX = ^\d{2,4}-\d{1,2}-\d{1,2}T\d{1,2}:\d{1,2}:\d{1,2}\.\d{1,6}

 

 I tried to add TZ or TZ_ALIAS inside props.conf, but no effect. Where can I be wrong?

Thanks

Labels (2)
Labels
0 Karma
Reply

m_pham
Splunk Employee
Splunk Employee
‎12-12-2023 08:22 AM

You need to add your index time configurations on the HF and not on the SH or Indexers since the HF is where your data is being parsed.

Your TIME_PREFIX configuration could be simpler but we would need to see a full sample log line to help with that; redact any sensitive information by the way if you provide a sample.

0 Karma
Reply

ivan123357
Explorer
‎12-12-2023 08:28 AM

Yeah, sure

2023-12-12T19:39:25.400399Z <ip_address> CEF:0|vendor|product|version|AuditMessage_707|description|4|messageId=666 messageCategory=AuditMessage start=2023-12-12T19:39:25.400399Z user=user node=<ip_address> msg=<message>

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎12-12-2023 08:39 AM

Since the timestamp is at the beginning of the event, the prefix is a simple "^".  Try these settings

TIME_PREFIX = ^
TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%6N%Z

The "%Z" is there to interpret the "Z" in the event as a time zone (UTC).

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

m_pham
Splunk Employee
Splunk Employee
‎12-12-2023 08:38 AM

Try this in your props.conf on your HF - I don't know the time zone of your log file so I assume it's UTC, change as needed:

 

TIME_PREFIX = ^
MAX_TIMESTAMP_LOOKAHEAD = 30
TIME_FORMAT = %FT%T.%6QZ
TZ = UTC

 

I highly recommend you read through best practices for parsing configurations here:

https://kinneygroup.com/blog/splunk-magic-8-props-conf/

Time variables can be found here: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Commontimeformatvariables

0 Karma
Reply

ivan123357
Explorer
‎12-12-2023 08:54 AM

Thanks for your answers. I tried both options.

I removed everything about time from SHs and Indexers. Put your config to HF (changed timezone),  restart splunkd process and generate a few new events. And again, it was indexed incorrect. I dont know why, but HF still thinking that time inside event is UTC, how i understood it is because timestamp inside event has "Z", but it is incorrect, this timestamp in my timezone, and splunk convert this correct timestamp into my timezone because he is thinking that it is UTC.

Timezone i used from this url : https://en.wikipedia.org/wiki/List_of_tz_database_time_zones

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎12-12-2023 08:59 AM

The presence of "Z" on the end of the timestamp means the time is in UTC.  If that is incorrect then the application writing the logs should be changed to use the correct time zone designation.

A workaround would be to remove "%Z" from the TIME_FORMAT setting so Splunk ignores the time zone.  It will default to the local (to the HF) time zone.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...