Getting Data In

Splunk timestamp offset GMT

SFOTC
New Member

Good evening. 

I have a ASCII event message that looks like the following: The timestamp is in GMT time.  When Splunk coverts the timestamp the result is off by 5 hours. For this event message, the resulting timestamp is "11/11/20
5:46:39.969 PM" but should really be "11/11/20 12:46:39.969 PM". I have the servers local time zone set to "UTC -5 Eastern Time".  I already created a "props.conf" file and placed the following "TZ=Etc/GMT0", but it did not change the Splunk time stamp. 

INFO Stol 20-314-17:46:39.969: !!!!!!!!!INST Telemetry Started !!!!!!

Thank for your assistance.

Labels (1)
0 Karma

burwell
SplunkTrust
SplunkTrust

Can you provide exact props and exact sample event?

0 Karma

SFOTC
New Member

Thanks, we are a little closer to what we need, but I'm not sure if Splunk can do this. 

Our event times are in: YY-DOY-HH:MM:SS (example: 20-316-23:16:36.36)

 The above example relates to a date of: 11/11/20 7:16.36pm (a time of 00:00:00 represents 8:00PM and a rollover of the next day).  Can Splunk handle a format like this?

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi

You should try time format as "%y-%j-%H:%M:%S" and probably the correct time zone from inputs.conf if it isn't  in time string.

https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Commontimeformatvariables

r. Ismo

0 Karma

SFOTC
New Member

Ok, thank I will give that a try. What directory are the "indexers" placed?

0 Karma

isoutamo
SplunkTrust
SplunkTrust
From where you are collecting those files (same TZ than splunk indexers are or from an UF which TZ is UTC-5)? As @richgalloway said splunk indexers use GMT as internal time when they are storing events. But this information comes from event or from UF if events' have any timezone information. So if you are using UF and those are in TZ=UTC-5 then you must put that information to your inputs.conf on UF.
r. Ismo
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Timestamps as assumed to be in the same time zone as the Splunk server unless otherwise specified.  You have a TZ specified, but it's not working so we'll presume the setting is incorrect.  Begin by changing the TZ setting to "UTC" or "GMT".  Also, the props.conf file must be on the forwarder or indexer that first touches the event. 

If that doesn't fix the problem then please share the complete props.conf stanza for event's souretype.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...