Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

forwarder source logs displaying in UTC Time - Need EST

bcusick
Communicator
‎03-11-2014 12:34 PM

Hi,

I have a forwarder that goes by EST. My Splunk server also goes by EST. Today I had to add a source (from a completely different server with UTC time) to my EST Splunk forwarder.

How can I make _time for the logs in this source be in EST? They can still display UTC, but I need to see them in EST for Splunk timing.

I have already tried editing the props.conf to say:

[mdm]
TZ = UTC

Where mdm is the sourcetype for this source

Thanks,

Brian

0 Karma
Reply

woodcock
Esteemed Legend
‎06-28-2015 06:58 PM

The indexers were probably rebooted which is required for this change to take effect.

0 Karma
Reply

bcusick
Communicator
‎03-17-2014 06:03 AM

Somehow this issue has cleared itself up. 🙂

0 Karma
Reply

lukejadamec
Super Champion
‎03-11-2014 01:03 PM

You should try to configure splunk to recognize the correct TZ for that source, that way splunk can do all of the search time corrections for you.

As for subtracting 4 hours, not a problem so long as splunk knows it is working with a time.

0 Karma
Reply

bcusick
Communicator
‎03-11-2014 12:59 PM

Timestamp is showing up like this in the raw log...

2014-03-11 18:04:11

basically all I want to do is subtract 4 hours from it. Idk how that would go if the UTC time was between midnight and 3:59AM, but I could use temporarily a method to show this time as EST (4 hours prior to what it says now)

0 Karma
Reply

lukejadamec
Super Champion
‎03-11-2014 12:53 PM

Do the event timestamps include a timezone, or is the timestamp an epoch time?
How did you add the new server to the forwarder, and why not add it directly to the indexer?

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...