Splunk Search

Change time zone in log indexing

leandromatperei
Path Finder

Hi,

I have a log that it has the format below, I need his GMT to be -3h.

That is, in the log file the time is (2019-12-08 06: 03: 54.463), however I need it to be indexed in splunk as (2019-12-08 03: 03: 54.463)

(2019-12-09 08:04:57.618)           (2019-12-08 12:47:17.125)
easy_init.27964 (thread #0, tid: 40920) (trace:0) (proc_launch): Process easy_log successfully launched (31412)

(2019-12-09 08:04:57.665)           (2019-12-09 08:04:57.649)
easy_init.exe.27964 (trace:4) (proc_launch): Process dbmon.oci successfully launched (19320)

(2019-12-09 08:04:58.571)           (2019-12-09 08:04:58.571)
tsrv.exe.18260 (trace:0) ([ trace: disabled ] version '8.4' [ build 0 (Jun 11 2019 11:11:18) Update 1220 ]): information

(2019-12-09 08:04:58.571)           (2019-12-09 08:04:58.571)
tsrv.exe.45784 (trace:0) ([ trace: disabled ] version '8.4' [ build 0 (Jun 11 2019 11:11:18) Update 1220 ]): information

The regex below correctly indicates the events, however with the times are not gmt -3h

LINE_BREAKER=([\r\n]+)
NO_BINARY_CHECK=true
SHOULD_LINEMERGE=true
TIME_FORMAT=%Y-%m-%d%t%H:%M:%S.%3N
TIME_PREFIX=^\(
disabled=false
pulldown_type=true
0 Karma

arjunpkishore5
Motivator

Set the TZ parameter in the props.conf.

Here's the documentation

TZ = <timezone identifier>
* The algorithm for determining the time zone for a particular event is as
  follows:
  * If the event has a timezone in its raw text (for example, UTC, -08:00),
  use that.
  * If TZ is set to a valid timezone string, use that.
  * If the event was forwarded, and the forwarder-indexer connection uses
  the version 6.0 and higher forwarding protocol, use the timezone provided
  by the forwarder.
  * Otherwise, use the timezone of the system that is running splunkd.
* Default: empty string

https://docs.splunk.com/Documentation/Splunk/8.0.0/Admin/Propsconf

0 Karma

richgalloway
SplunkTrust
SplunkTrust

In the props.conf stanza for the sourcetype, add TZ to tell Splunk the time zone.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...