Getting Data In
Highlighted

Time stamp format in source type.

Explorer

I have selected the Time stamp format %b %d %H:%M:%S CET %Y for one of the source-types.
I would like to change it in such a way, so that it can handle both CET and CEST.

0 Karma
Highlighted

Re: Time stamp format in source type.

SplunkTrust
SplunkTrust

Have you tried %b %d %H:%M:%S %Z %Y?

---
If this reply helps you, an upvote would be appreciated.
0 Karma
Highlighted

Re: Time stamp format in source type.

Explorer

Its not working as expected.

Date format in the event:-
Wed Aug 23 16:44:28 CEST 2016
Wed Aug 23 16:46:20 CET 2016

Props.conf settings:-
Timestamp format = %b %d %H:%M:%S CET %Y
Timestamp prefix = \s+\w+\s+
If i use `CET` or `CEST` in `Timestamp format`, the date and time are extracted properly.

But if i use %Z in the place of CET or CEST:-
Timestamp format = %b %d %H:%M:%S %Z %Y
The Hours field is showing two hours less for both CEST and CET.
0 Karma
Highlighted

Re: Time stamp format in source type.

SplunkTrust
SplunkTrust

I'm tempted to suggest using TZ_ALIAS, but I'm not sure it will help.

---
If this reply helps you, an upvote would be appreciated.
0 Karma
Highlighted

Re: Time stamp format in source type.

SplunkTrust
SplunkTrust

When you say Hours field is showing two hours less then CEST, is it the _time value in search?? What timezone your Indexers are in and what is the time zone of user from which you're running the search?

0 Karma
Highlighted

Re: Time stamp format in source type.

Explorer

The _time field is not getting proper values when i change the time zone from where i am running my search.

The events comes with the following date format. It has CET or CEST hard-coded in the event.
Wed Aug 23 16:44:28 CEST 2016
Wed Aug 23 16:46:20 CET 2016

In Props.conf settings:-
Timestamp format = %b %d %H:%M:%S CET %Y
Timestamp prefix = \s+\w+\s+
If i use CET or CEST in Timestamp format, the date and time are extracted properly into _time field.

I want to make this generic ,so that it can handle both CET and CEST.
But if i use %Z in the place of CET or CEST, the Hours field in _time is showing wrong hours for both CEST and CET.
Timestamp format = %b %d %H:%M:%S %Z %Y

0 Karma
Highlighted

Re: Time stamp format in source type.

Explorer

Events come with the following hard-coded date format.
Wed Aug 23 16:44:28 CEST 2016
Wed Aug 23 16:46:20 CET 2016

In Props.conf settings:-
Timestamp format = %b %d %H:%M:%S CET %Y
Timestamp prefix = \s+\w+\s+
If i use CET or CEST in Timestamp format, the date and time are extracted properly into _time field.

I want to make this generic,so that it works with CET or CEST.
But if i use %Z in the place of CET or CEST, the hours field is not extrached properly into _time field for both CEST and CET.
Timestamp format = %b %d %H:%M:%S %Z %Y

0 Karma
Highlighted

Re: Time stamp format in source type.

Champion

not sure, but, did you try, TZ by this format in props?
TZ = Europe/London

and, are the Universal forwarders and search head are in same timezone?

one more question - why two timezones in a single log file?

also when i searched, it says CEST is not used nowadays at all.
https://www.timeanddate.com/time/zones/cest

0 Karma