Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why is there a 4 hour time difference between event timestamp vs _time?

iamsplunker
Communicator
‎06-22-2022 04:06 PM

Hi Splunkers, 

I have an issue with the timestamp the data is being indexed. Here is an example of my logs.

I applied the props at sourcetype level. However it doesn't seem to be working- Please Help

Scenario -1

Time                                                                  Event

6/20/22  10:35:59.833 PM               2022-06-20 18:35:59,833  [200] Error logs http client 

props.conf

TIME_FORMAT= %Y-%m-%d %H:%M:%S,%3N

TIME_PREFIX = ^

MAX_TIMESTAMP_LOOKAHEAD = 24

TZ = UTC

Scenario - 2

Time                                                                  Event

6/20/22 10:24:05.000 PM                  2022-06-20 22:23:53 Error logs http client 

 

 

 

Labels (1)
Labels
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎06-23-2022 11:32 PM

Hi @iamsplunker,

I suppose that the timestamp you want is the date between square brackets.

In this case you have to use:

[your_sourcetype]
TIME_FORMAT = %d/%b/%Y:%H:%M:%S %z
TIME.PREFIX = \[

please check if before the timezone there's a space.

Ciao.

Giuseppe

View solution in original post

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎06-22-2022 11:48 PM

Hi @iamsplunker,

to help you in debugging your problem I need to have a sample of your logs, anyway, you have to exactly identify TIME_FORMAT and TIME_PREFIX.Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

iamsplunker
Communicator
‎06-23-2022 03:12 PM

@gcusello : Here is the sample 

Time                                                               Event

6/23/22  9:52:26.000 PM                10.100.200.10 - - [23/Jun/2022:17:52:26 -0400] TAIL/mcquote/ApplStatusServers HTTP/2.0 900 - "-" "-" - -

6/23/22  9:52:26.000 PM                20.100.200.20 - - [23/Jun/2022:17:52:26 -0400] TAIL/mcquote/ApplStatusServers HTTP/2.0 900 - "-" "-" - -

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎06-23-2022 11:32 PM

Hi @iamsplunker,

I suppose that the timestamp you want is the date between square brackets.

In this case you have to use:

[your_sourcetype]
TIME_FORMAT = %d/%b/%Y:%H:%M:%S %z
TIME.PREFIX = \[

please check if before the timezone there's a space.

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎06-29-2022 01:40 AM

Hi @iamsplunker,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

0 Karma
Reply
Solved! Jump to solution

iamsplunker
Communicator
‎06-27-2022 12:35 PM

@gcusello Looks Like it's not working . I also added TZ and MAX_TIMESTAMP_LOOKAHEAD

 

 

[sourcetype]
TIME_FORMAT = %d/%b/%Y:%H:%M:%S %z
TIME_PREFIX = \[
MAX_TIMESTAMP_LOOKAHEAD = 27
TZ = UTC

 

 

 

 

 

0 Karma
Reply
Solved! Jump to solution

isoutamo
SplunkTrust
SplunkTrust
‎06-28-2022 02:39 AM
When your timestamp contains TZ information like -0400, you shouldn't add any TZ information to props.
As @gcusello said, you must add props.conf into the 1st full splunk enterprise instance HF or Indexer from source system.
0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎06-27-2022 11:20 PM

Hi @iamsplunker,

at first please check if there's a space between seconds and timezone as it seems.

Then, where do you located the pros.conf?

it must be located on Indexers or (if present) on Heavy Forwarders.

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

iamsplunker
Communicator
‎06-28-2022 08:39 AM

@gcusello @isoutamo 

Yes, There is a space between seconds and timezone so the time format is correct I believe. I removed the TZ from my props.

When I tested the data with TIME_PREFIX and TIME_FORMAT it looks like the event time is highlighted(as below) however it doesn't seem to take that timestamp.

Time                                                      Event

6/28/22 2:44:30.000 PM          11.146.180.90 - - [28/Jun/2022:10:44:30 -0400] GETS /rebel/Frontend

0 Karma
Reply
Solved! Jump to solution

isoutamo
SplunkTrust
SplunkTrust
‎06-28-2022 09:21 AM
Internally Splunk use UTC and it shows it on your local TZ or what ever you have configured on your GUI. See <Your Account Name> -> Preferences -> Time Zone.
0 Karma
Reply
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...