Getting Data In

What is the best method of configuring timestamp recognition to support all ISO 8601 formats with Splunk 6.4.1?

crisjnelson
Explorer

One of our teams wishes to use ISO 8601 for their log event timestamps. They have the desire to use any of the formats provided in that standard. Does Splunk 6.4.1 support timestamp recognition configuration for this?

The logs currently use this variation: 2018-03-02T17:02:09.335Z

What is the recommended way to configure timestamp recognition for the above sample?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

I believe that time format is supported by default. However, it's a best practice to always put TIME_FORMAT in your props.conf files to tell Splunk what time format is used by each sourcetype. This keeps Splunk from guessing wrong and actually improves indexing performance.
In your case, use TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%3N%Z.

---
If this reply helps you, Karma would be appreciated.
0 Karma

ddrillic
Ultra Champion

Interesting - according to Date and time format variables

we can replace %Y-%m-%d with %F.

0 Karma

crisjnelson
Explorer

Much appreciated! I am doing this, and assume Splunk is using UTC as the time zone. Now, search results appear in the future. I have to select all time to get the latest events. My Indexers are running in CST and my Search Heads are running in PST. _time shows as something else. What do I need to configure in order for my searches to be relative to the current time?

0 Karma

esix_splunk
Splunk Employee
Splunk Employee

What time zone are you in, and what time zone is set in your GUI for Splunk. Additionally you can set the timezone in the props on your host and help alleviate this kind of issue.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

If you set the time zone in your profile to CST do events still appear in the future?

Many admins prefer to run all of their Splunk servers in UTC (or some other common time zone) to avoid problems and confusion.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...