One of our teams wishes to use ISO 8601 for their log event timestamps. They have the desire to use any of the formats provided in that standard. Does Splunk 6.4.1 support timestamp recognition configuration for this?
The logs currently use this variation: 2018-03-02T17:02:09.335Z
What is the recommended way to configure timestamp recognition for the above sample?
I believe that time format is supported by default. However, it's a best practice to always put TIME_FORMAT
in your props.conf files to tell Splunk what time format is used by each sourcetype. This keeps Splunk from guessing wrong and actually improves indexing performance.
In your case, use TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%3N%Z
.
Interesting - according to Date and time format variables
we can replace %Y-%m-%d
with %F
.
Much appreciated! I am doing this, and assume Splunk is using UTC as the time zone. Now, search results appear in the future. I have to select all time to get the latest events. My Indexers are running in CST and my Search Heads are running in PST. _time shows as something else. What do I need to configure in order for my searches to be relative to the current time?
What time zone are you in, and what time zone is set in your GUI for Splunk. Additionally you can set the timezone in the props on your host and help alleviate this kind of issue.
If you set the time zone in your profile to CST do events still appear in the future?
Many admins prefer to run all of their Splunk servers in UTC (or some other common time zone) to avoid problems and confusion.