Getting Data In

What is the best method of configuring timestamp recognition to support all ISO 8601 formats with Splunk 6.4.1?

crisjnelson
Explorer

One of our teams wishes to use ISO 8601 for their log event timestamps. They have the desire to use any of the formats provided in that standard. Does Splunk 6.4.1 support timestamp recognition configuration for this?

The logs currently use this variation: 2018-03-02T17:02:09.335Z

What is the recommended way to configure timestamp recognition for the above sample?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

I believe that time format is supported by default. However, it's a best practice to always put TIME_FORMAT in your props.conf files to tell Splunk what time format is used by each sourcetype. This keeps Splunk from guessing wrong and actually improves indexing performance.
In your case, use TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%3N%Z.

---
If this reply helps you, Karma would be appreciated.
0 Karma

ddrillic
Ultra Champion

Interesting - according to Date and time format variables

we can replace %Y-%m-%d with %F.

0 Karma

crisjnelson
Explorer

Much appreciated! I am doing this, and assume Splunk is using UTC as the time zone. Now, search results appear in the future. I have to select all time to get the latest events. My Indexers are running in CST and my Search Heads are running in PST. _time shows as something else. What do I need to configure in order for my searches to be relative to the current time?

0 Karma

esix_splunk
Splunk Employee
Splunk Employee

What time zone are you in, and what time zone is set in your GUI for Splunk. Additionally you can set the timezone in the props on your host and help alleviate this kind of issue.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

If you set the time zone in your profile to CST do events still appear in the future?

Many admins prefer to run all of their Splunk servers in UTC (or some other common time zone) to avoid problems and confusion.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...