Getting Data In

Time Log always add 7 hours

New Member

hello, i"m a newbie in splunk.
i try to display my log file on splunk, but i had a issue here.

this in example for my log file :
2018 Apr 12 13:03:00:000 GMT +0700 Test14

but the displayed time is always added with 7 hours.
alt text

can anyone help me?
thanks

Tags (3)
0 Karma

Contributor

Try this in your props:

[source::.../*.log]
TIME_PREFIX = ^
TIME_FORMAT = %b %d %H:%M:%S
MAX_TIMESTAMP_LOOKAHEAD = 16
TZ = Etc/GMT+7
0 Karma

Try to change your timezone in your Account Settings. You must be using GMT and since the event is GMT +7000, Splunk is adjusting the timestamp to your timezone.

0 Karma

New Member

Hi. i've already tried to change my timezone to GMT + 07.00 but still no changes on mu log display.

0 Karma

Did you have timezone information in your original props.conf?

TIME_FORMAT = %Y %b %d %H:%M:%S:%3N %Z %z
0 Karma

New Member

for using this time format with timezone (%Z), i have to increase the MAXTIMESTAMPLOOKAHEAD to 34, right?

i've already tried it also. and still no changes.

my props.conf :
TZ = GMT
TIMEPREFIX = ^
TIME
FORMAT = %Y %b %d %H:%M:%S:%3N %Z %z
MAXTIMESTAMPLOOKAHEAD = 34

did i miss something?

0 Karma

You will need to reindex the file to see changes though.
Also you can remove TZ since we get timezone from TIME_FORMAT.

0 Karma

New Member

for info, i've already tried using this config on my props.conf but it no works :

TZ = GMT
TIMEPREFIX = ^
TIME
FORMAT = %Y %b %d %H:%M:%S:%3N
MAXTIMESTAMPLOOKAHEAD = 24

0 Karma