Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Splunk index event with incorrect timezone

mrteen2010
Loves-to-Learn
‎04-27-2021 02:16 AM

I have the following props configuration:

 

[log_files]
SHOULD_LINEMERGE = false
NO_BINARY_CHECK = true
TRUNCATE = 0
KV_MODE = true
pulldown_type = true
TRANSFORMS_FIELDS = data,time
TIME_FORMAT = %Y-%m-%d %H:%M:%S

 

My log files contains IIS logs as follow:

 

2020-01-22 12:00:37 ::1 GET /test - 80 ::1 Mozilla/5.0+(Windows+NT+6.1;+Win64; x64;+rv:47.0)+Gecko/20100101+Firefox/47.0 - 200 2 5 100

 

Splunk indexing this file with incorrect time, I got event with time 15:00:07 instead 12:00:37 (and I see another field date_zone=-180), How can I make splunk index event with original the time from the logs file?

NOTE: I don't know the logs timezone .

0 Karma
Reply

s2_splunk
Splunk Employee
Splunk Employee
‎04-27-2021 10:37 AM

Please consult the documentation here and the linked information at the bottom of the page to understand how Splunk assigns timezones if the event timestamp in itself does not contain a TZ qualifier.

You would need to at least know what the source logs' timezone is to properly configure things...

0 Karma
Reply

mrteen2010
Loves-to-Learn
‎04-28-2021 12:24 AM

Hi, 

It isn't possible simply make splunk to take the original event time from log file without TZ converting??

Thanks for your answer!

0 Karma
Reply

s2_splunk
Splunk Employee
Splunk Employee
‎04-28-2021 08:45 AM

A timestamp in a global context isn't complete without a timezone reference. You can get away without specifying any timezones if you ensure all your systems are set to log in the same timezone (e.g. UTC), which is what a lot of organizations do.

In the absence of this, either timestamps need to have an embedded timezone offset, or you can explicitly set the timezone a timestamp was generated in when configuring your sources.   

Not having timestamps properly represented can cause issues with indexing (out of order events) and search (time-based correlation), so you want to make sure that every timestamp has a timezone context. 

Alternatively, you may choose to simply use the time an event was indexed as the event timestamp. 

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Mile High Learning with Splunk University, Denver, Colorado

If Denver is known for its mile-high elevation, Splunk University is about to raise the bar on technical ...

IT Service Intelligence 5.0 Series: Your Guide to the June Launch

We are excited to announce the June release of Splunk IT Service Intelligence (ITSI) 5.0. This update ...

Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0

    Are you ready to transform how your team handles complex data requests? We invite you to our upcoming ...