Hi @isoutamo, The below is the raw event. I dont have access to props.conf. so just wanted to extract
You do not need direct access to props.conf. Just use Splunk Web's Settings -> Source Types interface. There are two menus where you can customize your timestamp handling, Timestamp and Advanced.
As @isoutamo says, your problem might not be in Splunk's time extraction; instead, the apparent difference could be in time zone. If this is not the case, the best cause of action is to correct time extraction. Search time correction should only be used as the last resort. It can be done, of course.
| rex "^(?<timestamp>\S+ \S+)"
| eval _time = strptime(timestamp, "%F %T,%3N")The big problem with search time adjustment of an essential datapoint such as _time is that you lose precision when trying to set index search interval.
I indexed this log in a new sourcetype on a test machine in the GMT+2 timezone, and the timestamp seems to have extracted properly. We would need to know what your timestamp settings in props.conf are to find out where the timestamp extraction is going wrong.
Hi @isoutamo, The below is the raw event. I dont have access to props.conf. so just wanted to extract
You do not need direct access to props.conf. Just use Splunk Web's Settings -> Source Types interface. There are two menus where you can customize your timestamp handling, Timestamp and Advanced.
As @isoutamo says, your problem might not be in Splunk's time extraction; instead, the apparent difference could be in time zone. If this is not the case, the best cause of action is to correct time extraction. Search time correction should only be used as the last resort. It can be done, of course.
| rex "^(?<timestamp>\S+ \S+)"
| eval _time = strptime(timestamp, "%F %T,%3N")The big problem with search time adjustment of an essential datapoint such as _time is that you lose precision when trying to set index search interval.
