Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Splunk Time stamp modification
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunk Time stamp modification
Hi Team,
We are in splunk 6.5.
Our forwarder machines are having Brasilia Time zone and our indexer is on UTC time zone.
I have tried updating the below entry on Props.conf file on my forwarders machine.
[test]
SHOULD_LINEMERGE=false
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%f
TIME_PREFIX=^
TZ=America/Sao_Paulo
MAX_TIMESTAMP_LOOKAHEAD=25
Still I can see the indexed events are in UTC time zone in GUI. Please help me here on this issue.
Regards,
Abilan
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We need to see a sample event and your inputs.conf. It would be nice to see transforms.conf, too.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I had the very same issue not so long ago, and the resolution was that the props.conf on the INDEXER needed to have the stanza added, not on the forwarder.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Which also required that I go to this page on the indexer or restart the indexer service.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
good call, dont forget restart! Abilan
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
./splunk btool props list test --debug need the sourcetype on the forwarder and indexer.
EDIT : updated command to reflect different soucretype. as you have it called test now...other thread is sched
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi ,
Thanks again for your help.
I have executed the query on my forwarder. Please find the output below. sourcetype is empty here.
/u01/SplunkCloud/splunkforwarder/etc/apps/search/default/props.conf [scheduler]
/u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf ANNOTATE_PUNCT = True
/u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf AUTO_KV_JSON = true
/u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf BREAK_ONLY_BEFORE =
/u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf BREAK_ONLY_BEFORE_DATE = True
/u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf CHARSET = UTF-8
/u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf DATETIME_CONFIG = /etc/datetime.xml
/u01/SplunkCloud/splunkforwarder/etc/apps/search/default/props.conf EXTRACT-fields = (?i)^(?:[^ ]* ){2}(?:[+-]\d+ )?(?P[^ ]*)\s+(?P[^ ]+) - (?P.+)
/u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf HEADER_MODE =
/u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf LEARN_MODEL = true
/u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf LEARN_SOURCETYPE = true
/u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf LINE_BREAKER_LOOKBEHIND = 100
/u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf MAX_DAYS_AGO = 2000
/u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf MAX_DAYS_HENCE = 2
/u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf MAX_DIFF_SECS_AGO = 3600
/u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf MAX_DIFF_SECS_HENCE = 604800
/u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf MAX_EVENTS = 256
/u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf MAX_TIMESTAMP_LOOKAHEAD = 128
/u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf MUST_BREAK_AFTER =
/u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf MUST_NOT_BREAK_AFTER =
/u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf MUST_NOT_BREAK_BEFORE =
/u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf SEGMENTATION = indexing
/u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf SEGMENTATION-all = full
/u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf SEGMENTATION-inner = inner
/u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf SEGMENTATION-outer = outer
/u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf SEGMENTATION-raw = none
/u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf SEGMENTATION-standard = standard
/u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf SHOULD_LINEMERGE = True
/u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf TRANSFORMS =
/u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf TRUNCATE = 10000
/u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf detect_trailing_nulls = false
/u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf maxDist = 100
/u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf priority =
/u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf sourcetype =
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi ,
correct name is sched. Just for example I have given it as test.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
May 2026 Splunk Expert Sessions: Security & Observability
Network to App: Observability Unlocked [May & June Series]
SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...
