Re: Timestamp locale recognition

Josh · ‎01-06-2011

Hi,

I have noticed that one of our Splunk indexers whilst indexing data from a host is seems to be using different time locales to covert the timestamps... Any reason for this?

Example: Extract from host: nyl01a-4103 recorded time in Splunk 06/01/2011 17:33:41.000 (This is correct as my UI is in the UK and the host is in NY

2011-01-06 12:33:40,605 INFO DQS [821897797] QueryService - Fetch Size|1000

Example: Extract from host: nyl01a-4103 recorded time in Splunk 06/01/2011 17:33:45.000

2011-01-06 07:33:45,863 INFO DQS [1514448925] QueryServiceUtil - maxFetchSize lookup time: 0

Example: Extract from host: nyl01a-4103 recorded time in 06/01/2011 17:33:58.000

2011-01-06 06:33:58,279 INFO DQS [2063101246] QueryService - Fetch Size|1

Note: All these events returned in the same search. I am guessing there is some timestamp locale setting which needs to be configured any ideas?

kbains · ‎02-24-2011

I would set explicit time extraction rule based on sourcetype, as well as set the timezone values based on host. For example:

in system/local/props.conf:

[my_sourcetype]
TIME_FORMAT = %Y-%m-%d %H:%M%:S
TIME_PREFIX=^
MAX_TIMESTAMP_LOOKAHEAD=20


[host::nyl01a-4103 ]
# Assuming the server respects DST
TZ=America/New_York
# If the server does not respect DST
# TZ=UTC-4

Timestamp locale recognition

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation