Good evening.
I have a ASCII event message that looks like the following: The timestamp is in GMT time. When Splunk coverts the timestamp the result is off by 5 hours. For this event message, the resulting timestamp is "11/11/20
5:46:39.969 PM" but should really be "11/11/20 12:46:39.969 PM". I have the servers local time zone set to "UTC -5 Eastern Time". I already created a "props.conf" file and placed the following "TZ=Etc/GMT0", but it did not change the Splunk time stamp.
INFO Stol 20-314-17:46:39.969: !!!!!!!!!INST Telemetry Started !!!!!!
Thank for your assistance.
Can you provide exact props and exact sample event?
Thanks, we are a little closer to what we need, but I'm not sure if Splunk can do this.
Our event times are in: YY-DOY-HH:MM:SS (example: 20-316-23:16:36.36)
The above example relates to a date of: 11/11/20 7:16.36pm (a time of 00:00:00 represents 8:00PM and a rollover of the next day). Can Splunk handle a format like this?
Hi
You should try time format as "%y-%j-%H:%M:%S" and probably the correct time zone from inputs.conf if it isn't in time string.
https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Commontimeformatvariables
r. Ismo
Ok, thank I will give that a try. What directory are the "indexers" placed?
Timestamps as assumed to be in the same time zone as the Splunk server unless otherwise specified. You have a TZ specified, but it's not working so we'll presume the setting is incorrect. Begin by changing the TZ setting to "UTC" or "GMT". Also, the props.conf file must be on the forwarder or indexer that first touches the event.
If that doesn't fix the problem then please share the complete props.conf stanza for event's souretype.