Getting Data In
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Timezone calculation error?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jgauthier
Contributor
04-01-2011
01:30 AM
I just finished loading a lot of data, and when reviewing it, I am seeing something odd.
First, my log file is in GMT, and I've set up my props.conf to look like so:
[Exchange2003]
TIME_FORMAT = %Y-%-m%-d\t%-H:%-M:%-S
TIME_PREFIX = ^
MAX_TIMESTAMP_LOOKAHEAD = 15
KV_MODE = none
SHOULD_LINEMERGE = false
TRANSFORM
REPORT-Exchange2003 = Exchange2003
TZ=GMT
I have three log file entries I've identified for comparison:
Log file:
2011-4-1 0:4:42 GMT
Splunk Time:
4/1/11 12:03:28.478 AM
Log file:
2011-4-1 1:21:34 GMT
Splunk Time:
3/31/11 9:21:34.000 PM
Log file:
2011-4-1 1:20:26 GMT
Splunk Time:
4/1/11 9:20:12.081 PM
Notice the one in the middle is correct. I'm not sure what caused it, or how to fix it. Any suggestions?
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
gkanapathy
Splunk Employee
04-05-2011
06:07 AM
What's the name of the file? Also, it looks to me like your TIME_FORMAT above is just wrong, so can you confirm what is in your config file?
Update:
Seems to me your TIME_FORMAT is basically wrong and will never match your data, so Splunk is pretty much just guessing from where-ever it can, including the file name and/or file mod time, so it probably seems mysterious.
This is what you have:
%Y-%-m%-d\t%-H:%-M:%-S
You should have:
%Y-%m-%d%t%H:%M:%S %Z
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
gkanapathy
Splunk Employee
04-05-2011
06:07 AM
What's the name of the file? Also, it looks to me like your TIME_FORMAT above is just wrong, so can you confirm what is in your config file?
Update:
Seems to me your TIME_FORMAT is basically wrong and will never match your data, so Splunk is pretty much just guessing from where-ever it can, including the file name and/or file mod time, so it probably seems mysterious.
This is what you have:
%Y-%-m%-d\t%-H:%-M:%-S
You should have:
%Y-%m-%d%t%H:%M:%S %Z
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jgauthier
Contributor
04-06-2011
02:14 AM
I have confirmed that the TIME_FORMAT listed above is working correctly. It was subtle, but I see the I had messed up the month detection at least. I was using the hyphens because I read the documentation incorrectly, thinking that I needed the hyphen to detect the lack of 0 padded integers. That wasn't the case at all. I see now that you probably just thought i had the hyphens in the wrong spot! Which, in the long run I did because of my misunderstanding. Thanks for the help!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jgauthier
Contributor
04-05-2011
08:02 PM
I understand that, but I don't understand what you're eluding to. when I read docs on TIME_FORMAT, they reference using strptime() formatting. So I did. I, obviously, made a mistake with the tab 🙂 The dashes are still confusing me.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
gkanapathy
Splunk Employee
04-05-2011
06:05 PM
strptime() format has essentially nothing to do with printf() format.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jgauthier
Contributor
04-05-2011
05:48 PM
I read up on the strptime() requirements. I see the %t now. Understood. for %Y,%m,%d,%H,%M, and %S it is indicated that "leading zeros are permitted but not required". so why include a dash on the date and not time? I would think both could possibly be removed. Thanks a bunch!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jgauthier
Contributor
04-05-2011
05:38 PM
wait, more questions abound. I read that too quickly. The hours, minutes, and seconds are not zero padded. I don't understand why the "-" is omitted for those. I am going to put this in place and see what happens!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jgauthier
Contributor
04-05-2011
05:37 PM
So, a tab is %t not \t?
(just to confirm)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jgauthier
Contributor
04-05-2011
11:49 AM
Sure! Log files are named like this: 40110504.log (today's)
TIME_FORMAT = %Y-%-m%-d\t%-H:%-M:%-S
I've compared it visually to the log file entry, and I don't see anything wrong 😞 I have also done only 3 custom log files, so I'm not a champion by any means 😉
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jgauthier
Contributor
04-05-2011
01:37 AM
Just bumping this for more ideas. This is still happening with new events.
I have no idea where to go with this.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jgauthier
Contributor
04-01-2011
01:15 PM
I added that too soon 🙂
Log file:
2011-4-1 9:16:32 GMT
Splunk:
4/1/11 9:16:30.224 AM
Notice the time! It's not 9:16AM yet. It's almost like it has ignored the TZ setting, and perhaps only on single digit hours?
Looking for more details. Host, sourcetype, and source are identical.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jgauthier
Contributor
04-01-2011
01:13 PM
The lines look the same. This is a tab delimeted file, and every entry is idenitical. New items coming in are wrong still, (just checked this morning). It's not using index time, as it's 9:07am (ET) now, and splunk is showing this:
4/1/11 11:23:10.034 PM
But the log is:
2011-4-1 3:23:18 GMT
So, it should be more like 03/31/11 00:23:18.
Not in the future! 😃
It looks like some are correct and others are not.
Another example:
Log File:
2011-4-1 13:9:58
Splunk:
4/1/119:09:58.000 AM
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
netwrkr
Communicator
04-01-2011
12:49 PM
Anything different about the logs associated with the incorrect time? I assume Splunk is using 'index' time versus parsing the time from the logged event?
Get Updates on the Splunk Community!
Dashboards: Hiding charts while search is being executed and other uses for tokens
There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...
Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...
This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...
Brains, Bytes, and Boston: Learn from the Best at .conf25
When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...
