Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Splunk index event with incorrect timezone

mrteen2010
Loves-to-Learn
‎04-27-2021 02:16 AM

I have the following props configuration:

 

[log_files]
SHOULD_LINEMERGE = false
NO_BINARY_CHECK = true
TRUNCATE = 0
KV_MODE = true
pulldown_type = true
TRANSFORMS_FIELDS = data,time
TIME_FORMAT = %Y-%m-%d %H:%M:%S

 

My log files contains IIS logs as follow:

 

2020-01-22 12:00:37 ::1 GET /test - 80 ::1 Mozilla/5.0+(Windows+NT+6.1;+Win64; x64;+rv:47.0)+Gecko/20100101+Firefox/47.0 - 200 2 5 100

 

Splunk indexing this file with incorrect time, I got event with time 15:00:07 instead 12:00:37 (and I see another field date_zone=-180), How can I make splunk index event with original the time from the logs file?

NOTE: I don't know the logs timezone .

0 Karma
Reply

s2_splunk
Splunk Employee
Splunk Employee
‎04-27-2021 10:37 AM

Please consult the documentation here and the linked information at the bottom of the page to understand how Splunk assigns timezones if the event timestamp in itself does not contain a TZ qualifier.

You would need to at least know what the source logs' timezone is to properly configure things...

0 Karma
Reply

mrteen2010
Loves-to-Learn
‎04-28-2021 12:24 AM

Hi, 

It isn't possible simply make splunk to take the original event time from log file without TZ converting??

Thanks for your answer!

0 Karma
Reply

s2_splunk
Splunk Employee
Splunk Employee
‎04-28-2021 08:45 AM

A timestamp in a global context isn't complete without a timezone reference. You can get away without specifying any timezones if you ensure all your systems are set to log in the same timezone (e.g. UTC), which is what a lot of organizations do.

In the absence of this, either timestamps need to have an embedded timezone offset, or you can explicitly set the timezone a timestamp was generated in when configuring your sources.   

Not having timestamps properly represented can cause issues with indexing (out of order events) and search (time-based correlation), so you want to make sure that every timestamp has a timezone context. 

Alternatively, you may choose to simply use the time an event was indexed as the event timestamp. 

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...