Getting Data In

What is the best method of configuring timestamp recognition to support all ISO 8601 formats with Splunk 6.4.1?

Explorer

One of our teams wishes to use ISO 8601 for their log event timestamps. They have the desire to use any of the formats provided in that standard. Does Splunk 6.4.1 support timestamp recognition configuration for this?

The logs currently use this variation: 2018-03-02T17:02:09.335Z

What is the recommended way to configure timestamp recognition for the above sample?

0 Karma

SplunkTrust
SplunkTrust

I believe that time format is supported by default. However, it's a best practice to always put TIME_FORMAT in your props.conf files to tell Splunk what time format is used by each sourcetype. This keeps Splunk from guessing wrong and actually improves indexing performance.
In your case, use TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%3N%Z.

---
If this reply helps you, an upvote would be appreciated.
0 Karma

Ultra Champion

Interesting - according to Date and time format variables

we can replace %Y-%m-%d with %F.

0 Karma

Explorer

Much appreciated! I am doing this, and assume Splunk is using UTC as the time zone. Now, search results appear in the future. I have to select all time to get the latest events. My Indexers are running in CST and my Search Heads are running in PST. _time shows as something else. What do I need to configure in order for my searches to be relative to the current time?

0 Karma

Splunk Employee
Splunk Employee

What time zone are you in, and what time zone is set in your GUI for Splunk. Additionally you can set the timezone in the props on your host and help alleviate this kind of issue.

0 Karma

SplunkTrust
SplunkTrust

If you set the time zone in your profile to CST do events still appear in the future?

Many admins prefer to run all of their Splunk servers in UTC (or some other common time zone) to avoid problems and confusion.

---
If this reply helps you, an upvote would be appreciated.
0 Karma