Getting Data In
Highlighted

Timestap issue

Communicator

Hello All,

I am a little confused as to what the heck is going wrong with my time stamps. We have the following raw logs:

2018-02-19 11:13:00 - INFO  - ENTITLEMENT - UsersDaoImpl:124 - 036cc5fa-a0b3-4a54-978f-9f34747fd126 - Inside UsersDaoImpl- getUserByUserId method
2018-02-19 11:13:00 - INFO  - ENTITLEMENT - EMSJobOrderServiceImpl:38 - 036cc5fa-a0b3-4a54-978f-9f34747fd126 - SalesOrderDTO object type received.
2018-02-19 11:13:00 - WARN  - ENTITLEMENT - EMSJobOrderServiceImpl:54 - 036cc5fa-a0b3-4a54-978f-9f34747fd126 - Returning the Job Params...
2018-02-19 11:13:00 - INFO  - ENTITLEMENT - UsersDaoImpl:124 - 036cc5fa-a0b3-4a54-978f-9f34747fd126 - Inside UsersDaoImpl- getUserByUserId method
2018-02-19 11:13:00 - INFO  - ENTITLEMENT - UsersDaoImpl:124 - 036cc5fa-a0b3-4a54-978f-9f34747fd126 - Inside UsersDaoImpl- getUserByUserId method
2018-02-19 11:13:00 - INFO  - ENTITLEMENT - UsersDaoImpl:124 - 036cc5fa-a0b3-4a54-978f-9f34747fd126 - Inside UsersDaoImpl- getUserByUserId method

The timezone for the logs/server is PST, but when the logs get ingested they are coming in with a timestamp as follows:
alt text

The props.conf for said data is as follows:

[emscatalina]
SHOULD
LINEMERGE = false
TIMEPREFIX = <6>
MAX
TIMESTAMPLOOKAHEAD = 24
TIME
FORMAT = %Y-%m-%dT%H%M%SZ

[emsapplogs]
TIME
FORMAT = %Y-%m-%d %H:%M:%S
TZ = US/Pacific

#[source::/apps/tomcat/logs/emsentitlementservices.log]
#TZ = America/Los_Angeles

The ems_applogs is the sourcetype which I am having issues with. Any ideas/help.

thanks
ed

0 Karma
Highlighted

Re: Timestap issue

SplunkTrust
SplunkTrust

I'm betting it has something to do with your TZ attribute. You should try removing it and seeing if that fixes your timestamp issue

Also, are you sure you restarted the splunkd service after making the above changes? It looks like its pulling from old configs and your new ones were not applied

0 Karma
Highlighted

Re: Timestap issue

Communicator

It originally had nothing set for the TZ and the data was off. I added the TZ but did not restart the services as changes to the props.conf file do not always require a restart of the splunk services. But I will try it to test it out.

0 Karma
Highlighted

Re: Timestap issue

SplunkTrust
SplunkTrust

Yes, you need a restart after making any index time setting changes...

http://docs.splunk.com/Documentation/Splunk/latest/admin/Propsconf

0 Karma
Highlighted

Re: Timestap issue

SplunkTrust
SplunkTrust

In the top right menu bar, go to left most dropdown (which has your user name)-> Edit Account. Check what's the default timezone selected for you. The timestamp you see on search page is adjusted per your default timezone.

0 Karma
Highlighted

Re: Timestap issue

Communicator

My account specific TZ is set to PST.

0 Karma
Highlighted

Re: Timestap issue

SplunkTrust
SplunkTrust

It looks like Splunk is treating the log's timestamp to be in UTC, so it's showing -0800 when displayed in UI. Guessing you'll get your TZ corrected after restart. What version of UF you've where you're collecting your logs? If it's 6.x and above, you can set your TZ settings on UF itself.

0 Karma