Hello Splunkers!
Initially I added the monitor stanza for all the inputs from various time zones and then when I had a check there was difference _time and the time present in the event and there was a lag by 1 or 2 hours based on that country's time zone and Splunk time zone, then figured out the it is because Splunk looks for a timestamp in the event and parse the data. Now , I need to monitor logs being received from different time zones from various countries and Splunk is in different time zone, can you please drop in your knowledge on this please.
When investigated, found that we can add the below as false as per https://docs.splunk.com/Documentation/Splunk/8.2.6/Admin/Propsconf
BREAK_ONLY_BEFORE_DATE = <boolean> DATETIME_CONFIG = NONE
And could see that there are options to define the time zones using TZ. Can anyone help me out please!
Example: My source:
test.csv SYSTEMDATE,SYSTEMTIME,FAILUREMESSAGE
"2022-05-04","12.51.08", The JobA has failed
"2022-05-04","13.00.05", The JobB has failed
Data reflecting in Splunk UI:
Time
Event
04/05/2022 12:51:03.000
SYSTEMDATE,SYSTEMTIME,FAILUREMESSAGE
04/05/2022 11:51:08.000
"2022-05-04","14.51.08",The JobA has failed
04/05/2022 12:00:05.000
"2022-05-04","13.00.05",The JobB has failed
Only the below event is reflecting at the current time when the job is triggered from Application end which is the correct one since the below has no timestamp defined.
04/05/2022 12:51:03.000
SYSTEMDATE,SYSTEMTIME,FAILUREMESSAGE
Source time zone: Various Countries like Italy, Romania, Cyprus etc.,
Destination/Splunk Time Zone: BST
Many thanks!
Sarah
... View more