Splunk Search

Change time zone in log indexing

Path Finder


I have a log that it has the format below, I need his GMT to be -3h.

That is, in the log file the time is (2019-12-08 06: 03: 54.463), however I need it to be indexed in splunk as (2019-12-08 03: 03: 54.463)

(2019-12-09 08:04:57.618)           (2019-12-08 12:47:17.125)
easy_init.27964 (thread #0, tid: 40920) (trace:0) (proc_launch): Process easy_log successfully launched (31412)

(2019-12-09 08:04:57.665)           (2019-12-09 08:04:57.649)
easy_init.exe.27964 (trace:4) (proc_launch): Process dbmon.oci successfully launched (19320)

(2019-12-09 08:04:58.571)           (2019-12-09 08:04:58.571)
tsrv.exe.18260 (trace:0) ([ trace: disabled ] version '8.4' [ build 0 (Jun 11 2019 11:11:18) Update 1220 ]): information

(2019-12-09 08:04:58.571)           (2019-12-09 08:04:58.571)
tsrv.exe.45784 (trace:0) ([ trace: disabled ] version '8.4' [ build 0 (Jun 11 2019 11:11:18) Update 1220 ]): information

The regex below correctly indicates the events, however with the times are not gmt -3h

0 Karma


Set the TZ parameter in the props.conf.

Here's the documentation

TZ = <timezone identifier>
* The algorithm for determining the time zone for a particular event is as
  * If the event has a timezone in its raw text (for example, UTC, -08:00),
  use that.
  * If TZ is set to a valid timezone string, use that.
  * If the event was forwarded, and the forwarder-indexer connection uses
  the version 6.0 and higher forwarding protocol, use the timezone provided
  by the forwarder.
  * Otherwise, use the timezone of the system that is running splunkd.
* Default: empty string


0 Karma


In the props.conf stanza for the sourcetype, add TZ to tell Splunk the time zone.

If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...