Hi Splunkers & Splunkettes!
So I have a series of devices that logs in UTC as follows:
2011-10-30 23:24:13 0 2 0 0 N 1440 2473 402 249 0.00 0.00 435314688 0 0 0 0 0 8
I want ensure Splunk treats this as UTC value when searches are run, so I have ensured that TZ = UTC
is in the relevant props.conf
files (Yes I have checked the configuration hierarchy).
Despite this, when searches are run, the time stamp doesn't reflect the local time changes:
Splunk Timestamp Event Timestamp
10/30/11 11:25:01.000 PM 2011-10-30 23:25:01 ...
This is despite other identically configured timestamps reflecting the desired timezone:
Splunk Timestamp Event Timestamp
10/31/11 10:29:56.000 AM [30/Oct/2011:23:21:37.560+0000] ...
This is doing my head in, so any and all assistance appreciated!!
The answer might be that your search head is not in UTC timezone. Splunk uses TZ=
in props.conf to figure out what offset to apply to _time
during indexing. But, at display time, _time
is formatted from a time_t
to a string in the search head's local timezone.
The answer might be that your search head is not in UTC timezone. Splunk uses TZ=
in props.conf to figure out what offset to apply to _time
during indexing. But, at display time, _time
is formatted from a time_t
to a string in the search head's local timezone.
This was indeed the case! Thanks for the answer 🙂
what's your props.conf? post a copy. You may have got your config hierarchy correct, but the events to point to the stanza is?
e.g here
http://splunk-base.splunk.com/answers/29218/filtering-windows-event-logs