Getting Data In
Highlighted

how to get the timezone of the logs set in props file

Path Finder

Hi team,

I have catalina logs ocming to splunk from Central timezone
But my splunk server is installed and configured in Eastern time Zone

Time

Event

1/24/17
4:12:55.911 AM

2017-01-24T 03:12:55.911-0600: 3331438.505: Total time for which application threads were stopped: 0.0008767 seconds, Stopping threads took: 0.000219

This is how splunk is generating the events with one hour ahead the time specified in logs my sample props.conf file

[cfsgalaxydpsdaocatalinast]
TIMEFORMAT = %H:%M:%S,%3N
MAX
TIMESTAMPLOOKAHEAD = 12
NO
BINARYCHECK = 1
pulldown
type = 1
SHOULDLINEMERGE=true
BREAK
ONLY_BEFORE =^\d+:\d{2}:\d{2}\,\d{3}
TZ = CST6CDT

Tags (2)
0 Karma
Highlighted

Re: how to get the timezone of the logs set in props file

Legend

Hi deepthi5,
see https://docs.splunk.com/Documentation/Splunk/6.5.1/Admin/Propsconf

TZ = <timezone identifier>
* The algorithm for determining the time zone for a particular event is as follows:
* If the event has a timezone in its raw text (for example, UTC, -08:00),  use that.
* If TZ is set to a valid timezone string, use that.
* If the event was forwarded, and the forwarder-indexer connection is using the 6.0+ forwarding protocol, use the timezone provided by the forwarder.
* Otherwise, use the timezone of the system that is running splunkd.
* Defaults to empty.

or at https://docs.splunk.com/Documentation/Splunk/6.5.1/Data/Applytimezoneoffsetstotimestamps

The Zoneinfo database is at https://en.wikipedia.org/wiki/List_of_tz_database_time_zones

Bye.
Giuseppe

0 Karma