Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Using props.conf to change timestamp
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a modular input that collects data from a webservice. The events are not collected in realtime so to get the true timestamp I have to extract that from the time field on each event instead of using when splunk consumes it as the time stamp.
The problem with this is the event time is in UTC and my server is in US/Eastern time (UTC-5). When I search for the events they show 5 hours ahead. This causes problems when using relative search times because no data shows up.
How can I use props.conf or other method to make the events show up in Splunk as US/Eastern time so my searches work correctly? My current props.conf is below. I've tried to change the TZ= setting but it makes no difference. Please help!
[test]
NO_BINARY_CHECK=1
SHOULD_LINEMERGE=true
BREAK_ONLY_BEFORE=^{
TIME_FORMAT=%Y-%m-%d %H:%M:%S.%3Q
TZ=UTC
KV_MODE=json
TRUNCATE=15000
Here's what the raw event logs like from splunkd.log
{
'tot': 86,
'epoch': 1396352800,
'tos': 85,
'sid': 318,
'browsertype': IE7,
'type': 'txtest',
'sname': New York, NY - Verizon,
'ttime': 2014-04-01 07:46:40.433,
'tpf': 0,
'rtime': 5954,
'nbyte': 729580,
'tof': 0,
'mid': 14247945,
'tps': 3, 'tpt': 3
}
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
I checked the data. Your intended timestamp was not recognized. Try the below configuration.
[test]
NO_BINARY_CHECK=1
SHOULD_LINEMERGE=true
BREAK_ONLY_BEFORE=^{
TIME_PREFIX='ttime':
TIME_FORMAT=%Y-%m-%d %H:%M:%S.%3Q
TZ=UTC
KV_MODE=json
TRUNCATE=15000
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
I checked the data. Your intended timestamp was not recognized. Try the below configuration.
[test]
NO_BINARY_CHECK=1
SHOULD_LINEMERGE=true
BREAK_ONLY_BEFORE=^{
TIME_PREFIX='ttime':
TIME_FORMAT=%Y-%m-%d %H:%M:%S.%3Q
TZ=UTC
KV_MODE=json
TRUNCATE=15000
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That did the trick! thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is a single server splunk deployment. The events come directly into the splunk server via webservice.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Where did you configure this, on the indexer?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What about data that has not already been indexed? I'm not concerned about the data that is already there.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The timezone will be applied on index time. Therefore you cannot modify existing data to show correctly. You may want to export the data and re-import it.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
