The 2 lines below show (line 1) the time processed by a Splunk indexer on EST time. The 2nd line starts with the corresponding timestamp of a native syslog record. The 2nd time stamp says that it is UTC-based with an offset of 4 hours. And yet the difference between the two stamps is 8 hours.
3/30/15 2:34:38.000 AM
2015-03-30T10:34:38-04:00 147.81.86.22 %ASA-6-302015: Built outbound UDP connection 785924 for outside:DNS1.ENGILITYCORP.COM/53 (DNS1.ENGILITYCORP.COM/53) to inside:TSEADC01/63217 (TSEADC01/63217)
In props.conf, the time format used is:
TIME_FORMAT = %Y-%m-%dT%H:%M:%S-%z
Where is the error?
Thank you.
I'm not sure if this is it, as I haven't looked deeply enough to do the math but I think your format should be
TIME_FORMAT = %Y-%m-%dT%H:%M:%S%z
since the - is part of the timezone specification (UTC-04:00 versus UTC+04:00)
I'm not sure if this is it, as I haven't looked deeply enough to do the math but I think your format should be
TIME_FORMAT = %Y-%m-%dT%H:%M:%S%z
since the - is part of the timezone specification (UTC-04:00 versus UTC+04:00)
It works. Thank you. The :z: spec to include the - is indeed the correct format.