Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk timestamp offset GMT

SFOTC
New Member
‎11-11-2020 01:15 PM

Good evening. 

I have a ASCII event message that looks like the following: The timestamp is in GMT time.  When Splunk coverts the timestamp the result is off by 5 hours. For this event message, the resulting timestamp is "11/11/20
5:46:39.969 PM" but should really be "11/11/20 12:46:39.969 PM". I have the servers local time zone set to "UTC -5 Eastern Time".  I already created a "props.conf" file and placed the following "TZ=Etc/GMT0", but it did not change the Splunk time stamp. 

INFO Stol 20-314-17:46:39.969: !!!!!!!!!INST Telemetry Started !!!!!!

Thank for your assistance.

Labels (1)
Labels
0 Karma
Reply

burwell
SplunkTrust
SplunkTrust
‎11-12-2020 10:35 AM

Can you provide exact props and exact sample event?

0 Karma
Reply

SFOTC
New Member
‎11-12-2020 07:41 AM

Thanks, we are a little closer to what we need, but I'm not sure if Splunk can do this. 

Our event times are in: YY-DOY-HH:MM:SS (example: 20-316-23:16:36.36)

 The above example relates to a date of: 11/11/20 7:16.36pm (a time of 00:00:00 represents 8:00PM and a rollover of the next day).  Can Splunk handle a format like this?

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎11-12-2020 09:33 AM

Hi

You should try time format as "%y-%j-%H:%M:%S" and probably the correct time zone from inputs.conf if it isn't  in time string.

https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Commontimeformatvariables

r. Ismo

0 Karma
Reply

SFOTC
New Member
‎11-11-2020 06:33 PM

Ok, thank I will give that a try. What directory are the "indexers" placed?

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎11-11-2020 09:38 PM
From where you are collecting those files (same TZ than splunk indexers are or from an UF which TZ is UTC-5)? As @richgalloway said splunk indexers use GMT as internal time when they are storing events. But this information comes from event or from UF if events' have any timezone information. So if you are using UF and those are in TZ=UTC-5 then you must put that information to your inputs.conf on UF.
r. Ismo
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-11-2020 01:38 PM

Timestamps as assumed to be in the same time zone as the Splunk server unless otherwise specified.  You have a TZ specified, but it's not working so we'll presume the setting is incorrect.  Begin by changing the TZ setting to "UTC" or "GMT".  Also, the props.conf file must be on the forwarder or indexer that first touches the event. 

If that doesn't fix the problem then please share the complete props.conf stanza for event's souretype.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...