Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

splunk detects _time right, but displays it wrong

horsefez
Motivator
‎12-21-2015 03:43 AM

Hi,

I have an issue with the _time field in Splunk.

An event like this gets into Splunk.
alt text

While the date_hour, date_minute and date_second fields are extracted correctly the _time field doesn't display the time correctly.
8:05 AM is not 10:05 in european format.

The sourcetype for these events is specified as following
alt text

Somehow the _time field does not show the correct timestamp.

What can I do?

Preview file
1 KB
Preview file
1 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jmallorquin
Builder
‎12-21-2015 08:22 AM

Hi,

The problem is the timezone (is not time format), that you have selected. Probably your rol isn't in the same time zone.

Regards,

View solution in original post

Reply
Solved! Jump to solution

Dworsnop
Path Finder
‎08-20-2018 07:58 AM

Sorry to resurrect this post but it describes the same problem I'm having and I can't seem to get it working.
(I'm using Splunk Enterprise v6.6.8)

I created an input using DB Connect 2.4.0 and at the point of setting the Metadata for my DB input my source and sourcetype didn't exist, so I typed them into the boxes and all appeared well. Until of course I realise that my input is using a 'UTCDateTime' field from my original source as its timestamp however it is being displayed another hour behind UTC for some reason. ** I'm in the UK so our current local time is UTC+1. ** The user that the DB Connect Inputs runs as is set to "Default System Timezone", I have checked the date/time for the HF on which DB Connect resides and it is correct (UTC+1).

I then set about creating the sourcetype on my SH, Indexer and HF, setting the Timestamp to Auto. My data is still being indexed with a timestamp an hour behind the time specified in the original UTCDateTime field.

I haven't tinkered with any props.conf files or anything like that yet.

Any ideads where I've gone wrong, do I need to restart any/all of the servers for the sourcetype to work?

0 Karma
Reply
Solved! Jump to solution

Dworsnop
Path Finder
‎08-28-2018 01:32 AM

Just closing this off now as I've fixed my problem. I'm now pointing to the LocalDateTime column as the timestamp which my SH automatically changes to UTC as per all other logs so it's consistent throughout.
Happy days.

0 Karma
Reply
Solved! Jump to solution

FrankVl
Ultra Champion
‎08-28-2018 03:41 AM

What you could have done instead, is set the timezone in the db connect connection to UTC. If you use a UTC column to get the time, you need to tell Splunk it is UTC, otherwise it will interpret it based on the forwarder's local timezone (in your case UTC+1).

0 Karma
Reply
Solved! Jump to solution

Dworsnop
Path Finder
‎08-28-2018 03:46 AM

When you say "set the timezone in the db connect connection to UTC", where exactly would I do this? I can't see an option for setting the timezone of a DB connection.
Thanks

0 Karma
Reply
Solved! Jump to solution

FrankVl
Ultra Champion
‎08-28-2018 04:47 AM

Here:
dbconnect timezone setting

Reply
Solved! Jump to solution

Dworsnop
Path Finder
‎08-28-2018 04:55 AM

Ah thanks FrankVI. From the looks of your screenshot you must be using a more-up-to-date version of DB Connect than me (2.4.0).
Maybe time I did an upgrade!

0 Karma
Reply
Solved! Jump to solution

FrankVl
Ultra Champion
‎08-28-2018 07:27 AM

Yeah, I'm running 3.1.3 here.

Maybe you could still set it through a props.conf as you would normally do with timezone settings, but not sure if that works for db connect inputs.

0 Karma
Reply
Solved! Jump to solution

Dworsnop
Path Finder
‎08-28-2018 07:36 AM

No, from reading the Splunk Docs it doesn't appear possible in this version.

Happy to be proven wrong though...

0 Karma
Reply
Solved! Jump to solution

FrankVl
Ultra Champion
‎08-28-2018 07:39 AM

props.conf is independent from DB Connect version right? There must be some way to tell Splunk how to interpret timezones...

0 Karma
Reply
Solved! Jump to solution
Solution

jmallorquin
Builder
‎12-21-2015 08:22 AM

Hi,

The problem is the timezone (is not time format), that you have selected. Probably your rol isn't in the same time zone.

Regards,

Reply
Solved! Jump to solution

horsefez
Motivator
‎12-21-2015 11:29 PM

Oh, ok do you think its wrong because the free cloud is hosted in usa an I live in germany?

0 Karma
Reply
Solved! Jump to solution

jmallorquin
Builder
‎12-22-2015 12:38 AM

No, the problem is that you set a timezone in the logs and your user (admin) have the default timezone

If you go to settings >> Access control >> users and in your user set the same timezone that you configure in the logs, you will get the correct time.

Hope help you

Reply
Solved! Jump to solution

horsefez
Motivator
‎12-22-2015 02:41 AM

Thank you, I found it! ♥

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off

We love our Splunk Community and want you to feel inspired by all your hard work! Eric Fusilero, our VP of ...

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...