Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

how to get the timezone of the logs set in props file

deepthi5
Path Finder
‎01-24-2017 01:36 AM

Hi team,

I have catalina logs ocming to splunk from Central timezone
But my splunk server is installed and configured in Eastern time Zone

Time

Event

1/24/17
4:12:55.911 AM

2017-01-24T 03:12:55.911-0600: 3331438.505: Total time for which application threads were stopped: 0.0008767 seconds, Stopping threads took: 0.000219

This is how splunk is generating the events with one hour ahead the time specified in logs my sample props.conf file

[cfs_galaxy_dpsdao_catalina_st]
TIME_FORMAT = %H:%M:%S,%3N
MAX_TIMESTAMP_LOOKAHEAD = 12
NO_BINARY_CHECK = 1
pulldown_type = 1
SHOULD_LINEMERGE=true
BREAK_ONLY_BEFORE =^\d+:\d{2}:\d{2}\,\d{3}
TZ = CST6CDT

Tags (2)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-24-2017 01:47 AM

Hi deepthi5,
see https://docs.splunk.com/Documentation/Splunk/6.5.1/Admin/Propsconf

TZ = <timezone identifier>
* The algorithm for determining the time zone for a particular event is as follows:
* If the event has a timezone in its raw text (for example, UTC, -08:00),  use that.
* If TZ is set to a valid timezone string, use that.
* If the event was forwarded, and the forwarder-indexer connection is using the 6.0+ forwarding protocol, use the timezone provided by the forwarder.
* Otherwise, use the timezone of the system that is running splunkd.
* Defaults to empty.

or at https://docs.splunk.com/Documentation/Splunk/6.5.1/Data/Applytimezoneoffsetstotimestamps

The Zoneinfo database is at https://en.wikipedia.org/wiki/List_of_tz_database_time_zones

Bye.
Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to January Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...

[Puzzles] Solve, Learn, Repeat: Reprocessing XML into Fixed-Length Events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Data Management Digest – December 2025

Welcome to the December edition of Data Management Digest! As we continue our journey of data innovation, the ...