Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Timestap issue

edwardrose
Contributor
‎02-19-2018 11:26 AM

Hello All,

I am a little confused as to what the heck is going wrong with my time stamps. We have the following raw logs:

2018-02-19 11:13:00 - INFO  - ENTITLEMENT - UsersDaoImpl:124 - 036cc5fa-a0b3-4a54-978f-9f34747fd126 - Inside UsersDaoImpl- getUserByUserId method
2018-02-19 11:13:00 - INFO  - ENTITLEMENT - EMSJobOrderServiceImpl:38 - 036cc5fa-a0b3-4a54-978f-9f34747fd126 - SalesOrderDTO object type received.
2018-02-19 11:13:00 - WARN  - ENTITLEMENT - EMSJobOrderServiceImpl:54 - 036cc5fa-a0b3-4a54-978f-9f34747fd126 - Returning the Job Params...
2018-02-19 11:13:00 - INFO  - ENTITLEMENT - UsersDaoImpl:124 - 036cc5fa-a0b3-4a54-978f-9f34747fd126 - Inside UsersDaoImpl- getUserByUserId method
2018-02-19 11:13:00 - INFO  - ENTITLEMENT - UsersDaoImpl:124 - 036cc5fa-a0b3-4a54-978f-9f34747fd126 - Inside UsersDaoImpl- getUserByUserId method
2018-02-19 11:13:00 - INFO  - ENTITLEMENT - UsersDaoImpl:124 - 036cc5fa-a0b3-4a54-978f-9f34747fd126 - Inside UsersDaoImpl- getUserByUserId method

The timezone for the logs/server is PST, but when the logs get ingested they are coming in with a timestamp as follows:
alt text

The props.conf for said data is as follows:

[ems_catalina]
SHOULD_LINEMERGE = false
TIME_PREFIX = <6>
MAX_TIMESTAMP_LOOKAHEAD = 24
TIME_FORMAT = %Y-%m-%dT%H%M%SZ

[ems_applogs]
TIME_FORMAT = %Y-%m-%d %H:%M:%S
TZ = US/Pacific

#[source::/apps/tomcat/logs/ems_entitlement_services.log]
#TZ = America/Los_Angeles

The ems_applogs is the sourcetype which I am having issues with. Any ideas/help.

thanks
ed

Preview file
1 KB
0 Karma
Reply

somesoni2
Revered Legend
‎02-19-2018 01:18 PM

In the top right menu bar, go to left most dropdown (which has your user name)-> Edit Account. Check what's the default timezone selected for you. The timestamp you see on search page is adjusted per your default timezone.

0 Karma
Reply

edwardrose
Contributor
‎02-19-2018 01:33 PM

My account specific TZ is set to PST.

0 Karma
Reply

somesoni2
Revered Legend
‎02-19-2018 01:41 PM

It looks like Splunk is treating the log's timestamp to be in UTC, so it's showing -0800 when displayed in UI. Guessing you'll get your TZ corrected after restart. What version of UF you've where you're collecting your logs? If it's 6.x and above, you can set your TZ settings on UF itself.

0 Karma
Reply

skoelpin
SplunkTrust
SplunkTrust
‎02-19-2018 01:15 PM

I'm betting it has something to do with your TZ attribute. You should try removing it and seeing if that fixes your timestamp issue

Also, are you sure you restarted the splunkd service after making the above changes? It looks like its pulling from old configs and your new ones were not applied

0 Karma
Reply

edwardrose
Contributor
‎02-19-2018 01:34 PM

It originally had nothing set for the TZ and the data was off. I added the TZ but did not restart the services as changes to the props.conf file do not always require a restart of the splunk services. But I will try it to test it out.

0 Karma
Reply

skoelpin
SplunkTrust
SplunkTrust
‎02-19-2018 01:46 PM

Yes, you need a restart after making any index time setting changes...

http://docs.splunk.com/Documentation/Splunk/latest/admin/Propsconf

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...