Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk Cloud - props.conf setting for changing TZ to AEST for my events data in UTC format

rakesh_498115
Motivator
‎08-12-2021 11:57 PM

Hi All,

I have the below sample events in my log data i.e. in UTC format , i want Splunk to change the event time to AEST time. I Assume Splunk would definitely convert in to AEST format since the cloud we use for Australian project/region.

 

My Sample Data looks like below in UTC format -

2021-08-11T01:16:25.373937Z I-6083-EP S< : icexsTrace-icexs5-20210811-1116-037.trc64:0000298 | X 8 NRRS202108111116250196534269 N ack_nak_response=ack
2021-08-11T01:16:25.381943Z I-6016-EP R> : icexsTrace-icexs5-20210811-1116-037.trc64:0000314 | 8 MH18000000000000000731127354 P AMQ LUXP112 , ` * MHS18P1 020420210811111624901010P1-001SW10.15.35.81 516fc0b3f6cd49abac2247601381e9c8 EPAG CTBA00 CANONICAL CODE 736062787787
2021-08-11T01:16:25.381991Z E-6016-EP S> : icexsTrace-icexs5-20210811-1116-037.trc64:0000323 | _ *SAMPL1* SW051001 MHS18P1 SWLP1 ZP11SIV HXU4P73A MHS18P1 020420210811111624901010P1-001SW10.15.35.81 516fc0b3f6cd49abac2247601381e9c8 EPAG CTBA00 CANONICAL CODE 736062787787
2021-08-11T01:16:25.422824Z E-6016-EP R< : icexsTrace-icexs5-20210811-1116-037.trc64:0000392 | ' MHS18P1 020420210811111624901010P1-001SW10.15.35.81 516fc0b3f6cd49abac2247601381e9c8 EPAG CTBA00 00CANONICAL CODE 736062787787 001000000000879575CR000000000879575CRAUD00000000000000000000000000000013d46777ec304eadb673f30ed0487f99 *CSMOKY*
2021-08-11T01:16:25.423000Z I-6016-EP S< : icexsTrace-icexs5-20210811-1116-037.trc64:0000399 | 8 MH18000000000000000731127354 MHS18P1 020420210811111624901010P1-001SW10.15.35.81 516fc0b3f6cd49abac2247601381e9c8 EPAG CTBA00 00CANONICAL CODE 736062787787 001000000000879575CR000000000879575CRAUD00000000000000000000000000000013d46777ec304eadb673f30ed0487f99
2021-08-11T01:16:25.428780Z E-6053-EP R< : icexsTrace-icexs5-20210811-1116-037.trc64:0000419 | <BusMsg> <AppHdr xmlns="urn:iso:std:iso:20022:tech:xsd:head.001.001.01"> <Fr> <FIId> <FinInstnId> <BICFI>RSBKAUFSXXX</BICFI> </FinInstnId> </FIId> </Fr> <To> <FIId> <FinInstnId> <BICFI>WPACAU2SXXX</BICFI> </FinInstnId> </FIId> </To> <BizMsgIdr>RSBKAUFSXXX20210811000116253109041</BizMsgIdr> <MsgDefIdr>pacs.002.001.06</MsgDefIdr> <BizSvc>npp.stlmnt.01-sct.04</BizSvc> <CreDt>2021-08-11T01:16:25.310Z</CreDt> <Prty>NORM</Prty> </AppHdr> <Document xmlns="urn:iso:std:iso:20022:tech:xsd:pacs.002.001.06"> <FIToFIPmtStsRpt> <GrpHdr> <MsgId>RSBKAUFSXXX20210811000116253109041</MsgId> <CreDtTm>2021-08-11T01:16:25.310Z</CreDtTm> <InstgAgt> <FinInstnId> <BICFI>RSBKAUFSXXX</

 

And Each line represents a event in my log , So i have defined the below sourcetype settings  -


[ <SOURCETYPE NAME> ]
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)
NO_BINARY_CHECK=true
CHARSET=AUTO
disabled=false

But Still i could see events timestamp as UTC format only in Splunk , How would i change it have to AEST Timezone for events..

 

Could you please help with the settings ??

Labels (1)
Labels
Tags (1)
Preview file
120 KB
0 Karma
Reply

m_pham
Splunk Employee
Splunk Employee
‎08-16-2021 01:47 PM

The source of truth for the timestamp is in the log itself. What you want to do is set your timezone for your user preference within Splunk so that it shows your preferred time zone when you run your searches.

On your search head, click on: Username > Preferences > Time Zone

m_pham_0-1629146828876.png

 

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...