Splunk Search

setting the time format for timezone offset in props

kteng2024
Path Finder

hi,

I would like extract the timezone offset in time format in props.
example time format , 2017-02-05T01:20:10.049-0500: 0.855:

TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%3N-%Z

But the above timeformat which i defined is not working. I want my timestamp in splunk to have upto 2017-02-05T01:20:10.049-0500 ignoring 0.855

0 Karma
1 Solution

bshuler_splunk
Splunk Employee
Splunk Employee

%Y-%m-%dT%H:%M:%S.%3N%Z

View solution in original post

bshuler_splunk
Splunk Employee
Splunk Employee

%Y-%m-%dT%H:%M:%S.%3N%Z

kteng2024
Path Finder

thank you for reply but it is not working.

0 Karma

woodcock
Esteemed Legend

This needs to be deployed to your indexers and splunkd restarted there and even then only events that are indexed post-restart will show the effects of the new configurations.

woodcock
Esteemed Legend

I see that this is accepted; so is it working now?

0 Karma
Get Updates on the Splunk Community!

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...

Splunkbase | Splunk Dashboard Examples App for SimpleXML End of Life

The Splunk Dashboard Examples App for SimpleXML will reach end of support on Dec 19, 2024, after which no new ...

Understanding Generative AI Techniques and Their Application in Cybersecurity

Watch On-Demand Artificial intelligence is the talk of the town nowadays, with industries of all kinds ...