Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Splunk timestamp offset GMT

SFOTC
New Member
‎11-11-2020 01:15 PM

Good evening. 

I have a ASCII event message that looks like the following: The timestamp is in GMT time.  When Splunk coverts the timestamp the result is off by 5 hours. For this event message, the resulting timestamp is "11/11/20
5:46:39.969 PM" but should really be "11/11/20 12:46:39.969 PM". I have the servers local time zone set to "UTC -5 Eastern Time".  I already created a "props.conf" file and placed the following "TZ=Etc/GMT0", but it did not change the Splunk time stamp. 

INFO Stol 20-314-17:46:39.969: !!!!!!!!!INST Telemetry Started !!!!!!

Thank for your assistance.

Labels (1)
Labels
0 Karma
Reply

burwell
SplunkTrust
SplunkTrust
‎11-12-2020 10:35 AM

Can you provide exact props and exact sample event?

0 Karma
Reply

SFOTC
New Member
‎11-12-2020 07:41 AM

Thanks, we are a little closer to what we need, but I'm not sure if Splunk can do this. 

Our event times are in: YY-DOY-HH:MM:SS (example: 20-316-23:16:36.36)

 The above example relates to a date of: 11/11/20 7:16.36pm (a time of 00:00:00 represents 8:00PM and a rollover of the next day).  Can Splunk handle a format like this?

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎11-12-2020 09:33 AM

Hi

You should try time format as "%y-%j-%H:%M:%S" and probably the correct time zone from inputs.conf if it isn't  in time string.

https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Commontimeformatvariables

r. Ismo

0 Karma
Reply

SFOTC
New Member
‎11-11-2020 06:33 PM

Ok, thank I will give that a try. What directory are the "indexers" placed?

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎11-11-2020 09:38 PM
From where you are collecting those files (same TZ than splunk indexers are or from an UF which TZ is UTC-5)? As @richgalloway said splunk indexers use GMT as internal time when they are storing events. But this information comes from event or from UF if events' have any timezone information. So if you are using UF and those are in TZ=UTC-5 then you must put that information to your inputs.conf on UF.
r. Ismo
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-11-2020 01:38 PM

Timestamps as assumed to be in the same time zone as the Splunk server unless otherwise specified.  You have a TZ specified, but it's not working so we'll presume the setting is incorrect.  Begin by changing the TZ setting to "UTC" or "GMT".  Also, the props.conf file must be on the forwarder or indexer that first touches the event. 

If that doesn't fix the problem then please share the complete props.conf stanza for event's souretype.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...