Re: Splunk taking wrong time from logs

ajaylowes · ‎09-30-2017

Splunk adds one hour to timestamp, when indexing logs.

Logs:
9/18/17 3:46:01.000 PM --> time splunk shows
[][hello][please][help][18/Sep/2017:14:46:01 -0500] --> actual log

I have added the below in my props.conf
[host::xyz*]
TZ = US/Eastern

Also tried TZ = America/New_York ( GMT -5:00)

Server shows this date - Sat Sep 30 15:22:18 EDT 2017

acharlieh · ‎09-30-2017

Assuming that your user is set to Eastern time, then the display of _time in Splunk is correct for what your log has printed:

Your log explicitly states that it's "14:46 UTC-5" which is 15:46 (or 3:46p) in US/Eastern right now (Remember... EDT is UTC-4).

It could be your log is printing the wrong UTC offset, assuming that event you have there actually was at 14:46 EDT instead of 14:46 -0500 You may want to compare the delta of _time and _indextime to figure out if you have an issue there or not.

The explicit time zone in the log takes precedence when determining time zone: https://docs.splunk.com/Documentation/Splunk/7.0.0/Data/Applytimezoneoffsetstotimestamps

Splunk taking wrong time from logs

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

Join the Conversation