Getting Data In
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Timezone calculation error?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jgauthier
Contributor
04-01-2011
01:30 AM
I just finished loading a lot of data, and when reviewing it, I am seeing something odd.
First, my log file is in GMT, and I've set up my props.conf to look like so:
[Exchange2003]
TIME_FORMAT = %Y-%-m%-d\t%-H:%-M:%-S
TIME_PREFIX = ^
MAX_TIMESTAMP_LOOKAHEAD = 15
KV_MODE = none
SHOULD_LINEMERGE = false
TRANSFORM
REPORT-Exchange2003 = Exchange2003
TZ=GMT
I have three log file entries I've identified for comparison:
Log file:
2011-4-1 0:4:42 GMT
Splunk Time:
4/1/11 12:03:28.478 AM
Log file:
2011-4-1 1:21:34 GMT
Splunk Time:
3/31/11 9:21:34.000 PM
Log file:
2011-4-1 1:20:26 GMT
Splunk Time:
4/1/11 9:20:12.081 PM
Notice the one in the middle is correct. I'm not sure what caused it, or how to fix it. Any suggestions?
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
gkanapathy
Splunk Employee
04-05-2011
06:07 AM
What's the name of the file? Also, it looks to me like your TIME_FORMAT above is just wrong, so can you confirm what is in your config file?
Update:
Seems to me your TIME_FORMAT is basically wrong and will never match your data, so Splunk is pretty much just guessing from where-ever it can, including the file name and/or file mod time, so it probably seems mysterious.
This is what you have:
%Y-%-m%-d\t%-H:%-M:%-S
You should have:
%Y-%m-%d%t%H:%M:%S %Z
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
gkanapathy
Splunk Employee
04-05-2011
06:07 AM
What's the name of the file? Also, it looks to me like your TIME_FORMAT above is just wrong, so can you confirm what is in your config file?
Update:
Seems to me your TIME_FORMAT is basically wrong and will never match your data, so Splunk is pretty much just guessing from where-ever it can, including the file name and/or file mod time, so it probably seems mysterious.
This is what you have:
%Y-%-m%-d\t%-H:%-M:%-S
You should have:
%Y-%m-%d%t%H:%M:%S %Z
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jgauthier
Contributor
04-06-2011
02:14 AM
I have confirmed that the TIME_FORMAT listed above is working correctly. It was subtle, but I see the I had messed up the month detection at least. I was using the hyphens because I read the documentation incorrectly, thinking that I needed the hyphen to detect the lack of 0 padded integers. That wasn't the case at all. I see now that you probably just thought i had the hyphens in the wrong spot! Which, in the long run I did because of my misunderstanding. Thanks for the help!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jgauthier
Contributor
04-05-2011
08:02 PM
I understand that, but I don't understand what you're eluding to. when I read docs on TIME_FORMAT, they reference using strptime() formatting. So I did. I, obviously, made a mistake with the tab 🙂 The dashes are still confusing me.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
gkanapathy
Splunk Employee
04-05-2011
06:05 PM
strptime() format has essentially nothing to do with printf() format.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jgauthier
Contributor
04-05-2011
05:48 PM
I read up on the strptime() requirements. I see the %t now. Understood. for %Y,%m,%d,%H,%M, and %S it is indicated that "leading zeros are permitted but not required". so why include a dash on the date and not time? I would think both could possibly be removed. Thanks a bunch!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jgauthier
Contributor
04-05-2011
05:38 PM
wait, more questions abound. I read that too quickly. The hours, minutes, and seconds are not zero padded. I don't understand why the "-" is omitted for those. I am going to put this in place and see what happens!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jgauthier
Contributor
04-05-2011
05:37 PM
So, a tab is %t not \t?
(just to confirm)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jgauthier
Contributor
04-05-2011
11:49 AM
Sure! Log files are named like this: 40110504.log (today's)
TIME_FORMAT = %Y-%-m%-d\t%-H:%-M:%-S
I've compared it visually to the log file entry, and I don't see anything wrong 😞 I have also done only 3 custom log files, so I'm not a champion by any means 😉
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jgauthier
Contributor
04-05-2011
01:37 AM
Just bumping this for more ideas. This is still happening with new events.
I have no idea where to go with this.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jgauthier
Contributor
04-01-2011
01:15 PM
I added that too soon 🙂
Log file:
2011-4-1 9:16:32 GMT
Splunk:
4/1/11 9:16:30.224 AM
Notice the time! It's not 9:16AM yet. It's almost like it has ignored the TZ setting, and perhaps only on single digit hours?
Looking for more details. Host, sourcetype, and source are identical.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jgauthier
Contributor
04-01-2011
01:13 PM
The lines look the same. This is a tab delimeted file, and every entry is idenitical. New items coming in are wrong still, (just checked this morning). It's not using index time, as it's 9:07am (ET) now, and splunk is showing this:
4/1/11 11:23:10.034 PM
But the log is:
2011-4-1 3:23:18 GMT
So, it should be more like 03/31/11 00:23:18.
Not in the future! 😃
It looks like some are correct and others are not.
Another example:
Log File:
2011-4-1 13:9:58
Splunk:
4/1/119:09:58.000 AM
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
netwrkr
Communicator
04-01-2011
12:49 PM
Anything different about the logs associated with the incorrect time? I assume Splunk is using 'index' time versus parsing the time from the logged event?
Get Updates on the Splunk Community!
Splunk Observability Cloud’s AI Assistant in Action Series: Analyzing and ...
This is the second post in our Splunk Observability Cloud’s AI Assistant in Action series, in which we look at ...
Elevate Your Organization with Splunk’s Next Platform Evolution
Thursday, July 10, 2025 | 11AM PDT / 2PM EDT
Whether you're managing complex deployments or looking to ...
Splunk Answers Content Calendar, June Edition
Get ready for this week’s post dedicated to Splunk Dashboards! We're celebrating the power of community by ...
