Re: Time Log always add 7 hours

sianty910 · ‎04-11-2018

hello, i"m a newbie in splunk.
i try to display my log file on splunk, but i had a issue here.

this in example for my log file :
2018 Apr 12 13:03:00:000 GMT +0700 Test14

but the displayed time is always added with 7 hours.

can anyone help me?
thanks

pruthvikrishnap · ‎06-21-2018

Try this in your props:

[source::.../*.log]
TIME_PREFIX = ^
TIME_FORMAT = %b %d %H:%M:%S
MAX_TIMESTAMP_LOOKAHEAD = 16
TZ = Etc/GMT+7

damien_chillet · ‎04-12-2018

Try to change your timezone in your Account Settings. You must be using GMT and since the event is GMT +7000, Splunk is adjusting the timestamp to your timezone.

sianty910 · ‎04-12-2018

Hi. i've already tried to change my timezone to GMT + 07.00 but still no changes on mu log display.

damien_chillet · ‎04-12-2018

Did you have timezone information in your original props.conf?

TIME_FORMAT = %Y %b %d %H:%M:%S:%3N %Z %z

sianty910 · ‎04-12-2018

for using this time format with timezone (%Z), i have to increase the MAX_TIMESTAMP_LOOKAHEAD to 34, right?

i've already tried it also. and still no changes.

my props.conf :
TZ = GMT
TIME_PREFIX = ^
TIME_FORMAT = %Y %b %d %H:%M:%S:%3N %Z %z
MAX_TIMESTAMP_LOOKAHEAD = 34

did i miss something?

damien_chillet · ‎04-13-2018

You will need to reindex the file to see changes though.
Also you can remove TZ since we get timezone from TIME_FORMAT.

sianty910 · ‎04-11-2018

for info, i've already tried using this config on my props.conf but it no works :

TZ = GMT
TIME_PREFIX = ^
TIME_FORMAT = %Y %b %d %H:%M:%S:%3N
MAX_TIMESTAMP_LOOKAHEAD = 24

Time Log always add 7 hours

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

New Release | Splunk Cloud Platform 10.1.2507

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

Are you a member of the Splunk Community?

Time Log always add 7 hours

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

New Release | Splunk Cloud Platform 10.1.2507

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2