Solved: Re: Yet more timezone excitement

sseekamp · ‎04-30-2014

I have logs with a timezone specified like:

2014 Apr 30 20:37:31:001 GMT -5

There is a space between the GMT and the -5. Splunk is picking this up as GMT instead of US/Central.

How can I override or define the TZ as the entire "GMT -5" string?

Thanks!

somesoni2 · ‎05-01-2014

Add following to your props.conf

[YourSourceType]
TIME_FORMAT=%Y %b %d %H:%M:%S:%3Q %Z %z  
....
.other settings..
.....

View solution in original post

somesoni2 · ‎05-01-2014

Add following to your props.conf

[YourSourceType]
TIME_FORMAT=%Y %b %d %H:%M:%S:%3Q %Z %z  
....
.other settings..
.....

sseekamp · ‎06-15-2014

Thanks - this was perfect!

richgalloway · ‎05-01-2014

You could put a TIME_FORMAT string in your props.conf file, but I think that won't work because the offset is not in the expected 'hhmm' format. Try overriding the timezone by putting TZ=-05:00 in the relevant props.conf stanza.

---
If this reply helps you, Karma would be appreciated.

Yet more timezone excitement

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

Monitoring Amazon Elastic Kubernetes Service (EKS)