Re: How to manage _time field with schedule change...

mah · ‎10-27-2020

Hi,

With the time change, my logs are shifted by one hour (logs from an HEC input) :

It is the same case on many logs from several sources.

Like logs from Azure add-on (the props is correctly set with a TIME_PREFIX on the field Horodate) :

And same case from other add-on...

How can I fix this ?

Thank you!

richgalloway · ‎10-27-2020

What is the TIME_FORMAT setting in props.conf?

Is the system clock correct? What time zone does the system use?

---
If this reply helps you, Karma would be appreciated.

mah · ‎10-27-2020

Actually, I have this issue on many logs.

What is the TIME_FORMAT setting in props.conf?

Example of props.conf for the two pictures below :

[sourcetype_picture1]

SHOULD_LINEMERGE = false

LINE_BREAKER = ([\r\n]+)

TRUNCATE = 999999

TIME_PREFIX = \"\@timestamp\"\:

[sourcetype_picture2]
SHOULD_LINEMERGE = 0
category = Splunk App Add-on Builder
pulldown_type = 1
INDEXED_EXTRACTIONS = json
TIME_PREFIX = Horodate

This both example worked good until the schedule change on Sunday.

Is the system clock correct?

Actually I did not find a TZ by default for the system.

This TZ parameter is set on some apps like add-on splunk but sometime it is UTC and sometime it is GMT .

What time zone does the system use?

I did not find a TZ by default for the system.

How to manage _time field with schedule change in Europe zone ?