Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk index event with incorrect timezone

mrteen2010
Loves-to-Learn
‎04-27-2021 02:16 AM

I have the following props configuration:

 

[log_files]
SHOULD_LINEMERGE = false
NO_BINARY_CHECK = true
TRUNCATE = 0
KV_MODE = true
pulldown_type = true
TRANSFORMS_FIELDS = data,time
TIME_FORMAT = %Y-%m-%d %H:%M:%S

 

My log files contains IIS logs as follow:

 

2020-01-22 12:00:37 ::1 GET /test - 80 ::1 Mozilla/5.0+(Windows+NT+6.1;+Win64; x64;+rv:47.0)+Gecko/20100101+Firefox/47.0 - 200 2 5 100

 

Splunk indexing this file with incorrect time, I got event with time 15:00:07 instead 12:00:37 (and I see another field date_zone=-180), How can I make splunk index event with original the time from the logs file?

NOTE: I don't know the logs timezone .

0 Karma
Reply

s2_splunk
Splunk Employee
Splunk Employee
‎04-27-2021 10:37 AM

Please consult the documentation here and the linked information at the bottom of the page to understand how Splunk assigns timezones if the event timestamp in itself does not contain a TZ qualifier.

You would need to at least know what the source logs' timezone is to properly configure things...

0 Karma
Reply

mrteen2010
Loves-to-Learn
‎04-28-2021 12:24 AM

Hi, 

It isn't possible simply make splunk to take the original event time from log file without TZ converting??

Thanks for your answer!

0 Karma
Reply

s2_splunk
Splunk Employee
Splunk Employee
‎04-28-2021 08:45 AM

A timestamp in a global context isn't complete without a timezone reference. You can get away without specifying any timezones if you ensure all your systems are set to log in the same timezone (e.g. UTC), which is what a lot of organizations do.

In the absence of this, either timestamps need to have an embedded timezone offset, or you can explicitly set the timezone a timestamp was generated in when configuring your sources.   

Not having timestamps properly represented can cause issues with indexing (out of order events) and search (time-based correlation), so you want to make sure that every timestamp has a timezone context. 

Alternatively, you may choose to simply use the time an event was indexed as the event timestamp. 

0 Karma
Reply
Get Updates on the Splunk Community!

AI for AppInspect

We’re excited to announce two new updates to AppInspect designed to save you time and make the app approval ...

App Platform's 2025 Year in Review: A Year of Innovation, Growth, and Community

As we step into 2026, it’s the perfect moment to reflect on what an extraordinary year 2025 was for the Splunk ...

Operationalizing Entity Risk Score with Enterprise Security 8.3+

Overview Enterprise Security 8.3 introduces a powerful new feature called “Entity Risk Scoring” (ERS) for ...