Hi all,
Splunk adds one hour to timestamp, when indexing logs.
Example of my logs:
[ 21/Feb/2012 1:05:32.306 PM] I got ID_TRANS ...
so when such log falls into splunk, it got a timestamp like
2/21/12
2:05:32.306 PM
My props.conf for these logs is:
[sourcetype::verytest]
MAX_TIMESTAMP_LOOKAHEAD=31
NO_BINARY_CHECK=1
TIME_FORMAT=%d/%b/%y %H:%M:%S.%3N %p
My timezone is -
(GMT +03:00) Moscow, St. Petersburg, Volgograd
What I`m doing wrong?
Thx, MarioM
it Really Helps.
For Russia Moscow props.conf for such logs should looks like this one:
[sourcetype::your_sourcetype_name]
MAX_TIMESTAMP_LOOKAHEAD = custom, for example 31
NO_BINARY_CHECK=1 (Do not check for binary, Speed up Perfomance)
TIME_FORMAT=%d/%b/%y %H:%M:%S.%3N %p (Custom date timeformat, to help indexer understand timespamps, [more info][1])
TZ=Europe/Moscow
TZ should be equals to TZ=Europe/Moscow (Only for logs in Mosow TimeZone (+03.00)).
Yes, I have checked everything twice.
My situation is stated in this question:
http://splunk-base.splunk.com/answers/40985/time-zone-recognition-still-doesnt-work-after-editing-pr...
Could you please check on your system, do you really have UTC+0300 for Europe/Moscow?
Ohg, It`s my fault, sorry.
Did you check time on your server with Splunk installation, is it correct?
Well, according to this wikipedia table, column "Standard Time", Asia/Krasnoyarsk is UTC+08:00, which is too much for me 😉 I'm still in Europe/Moscow (not Moscow +0400).
Hi, greg!
For UTC +04.00 you should use Asia/Krasnoyarsk it will gives you UTC +04.00 for more information about timezone, you could study MarioM link (http://en.wikipedia.org/wiki/List_of_zoneinfo_timezones)
Hi!
Do you have UTC+03:00 after assigning TZ=Europe/Moscow?
I'm struggling with the same issue at the moment, i.e. Europe/Moscow gives me UTC+03:00, but we are actually in UTC+04:00.