Getting Data In

Timestamp from GPS data..

eyirik
Explorer

Hi,

I get data from source via TCP. Below you can see raw data;

2017-02-13T12:20:18.000Z;d7:86:47:6a:f7:84;sourcetype1;36.988593333;35.193628333

the raw data is ";" delimited and first line is time from coming GPS.

How can i assign this GPS time data as timestamp ?

Tags (1)
0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Splunk's default auto detection will find this timestamp and time zone.

That being said, whenever possible you should define the extraction - e.g. like this in props.conf:

SHOULD_LINEMERGE=false
TIME_FORMAT=%Y-%m-%dT%H:%M:%S.%3N%Z
TIME_PREFIX=^
MAX_TIMESTAMP_LOOKAHEAD=30
0 Karma

martin_mueller
SplunkTrust
SplunkTrust

The timestamp inside splunk is displayed with the splunk user's time zone.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

The timestamp explicitly states Z / Zulu / UTC as its time zone, and GPS runs on UTC (ignoring leap seconds). Make sure your data actually is a different time zone despite claiming to be UTC, and if possible fix this at the source to avoid other people tripping over the then-incorrect time zone delcaration inside the data.

0 Karma

eyirik
Explorer

Time Event
2/14/17 5:12:41.000 AM 2017-02-14T10:12

i wrote props.conf like below (corrected time/zone) .

UTC GPS time is correct, but timestamp in splunk is in different time zone ?

[MD9electriCITY]
SHOULD_LINEMERGE = False
TIME_FORMAT=%Y-%m-%DT%H:%M:%S.%3N%Z
TIME_PREFIX=^
MAX_TIMESTAMP_LOOKAHEAD=30
pulldown_type = 1
REPORT-getfields = temsaapp_fields

[host::5.11.243.33]
TZ = Asia/Istanbul

0 Karma

eyirik
Explorer

Yes, it detects with different time zone.

ı wrote below in props.conf. but id does not work.

[MD9electriCITY]
SHOULD_LINEMERGE = False
TIME_FORMAT=%Y-%m-%DT%H:%M:%S.%3N%Z
TIME_PREFIX=^
MAX_TIMESTAMP_LOOKAHEAD=30
pulldown_type = 1
REPORT-getfields = temsaapp_fields

[host::5.11.243.33]
TZ = Asian/Istanbul

0 Karma

esix_splunk
Splunk Employee
Splunk Employee

Set your timezone on the forwarder where you are ingesting the data.

0 Karma

eyirik
Explorer

i read it from TCP:9999 .

0 Karma

esix_splunk
Splunk Employee
Splunk Employee

What host value comes in for that data? Is it the IP or the DNS / FQDN name? That host stanza will only work if it sees it coming in as the 5.11.243.33 ip address, and not as a hostname.

Check the host field in search, and adjust as neccesary if it isnt correct.

0 Karma

eyirik
Explorer

It comes from IP address: 5.11.243.33

host="5.11.243.33"

0 Karma

esix_splunk
Splunk Employee
Splunk Employee

Checking here ; https://en.wikipedia.org/wiki/List_of_tz_database_time_zones

Should be

TZ = Asia/Istanbul        or
TZ = Europe/Istanbul

Not ....

TZ= Asian/Istanbul

Try that.

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...