Splunk Cloud - props.conf setting for changing TZ...

rakesh_498115 · ‎08-12-2021

Hi All,

I have the below sample events in my log data i.e. in UTC format , i want Splunk to change the event time to AEST time. I Assume Splunk would definitely convert in to AEST format since the cloud we use for Australian project/region.

My Sample Data looks like below in UTC format -

2021-08-11T01:16:25.373937Z I-6083-EP S< : icexsTrace-icexs5-20210811-1116-037.trc64:0000298 | X 8 NRRS202108111116250196534269 N ack_nak_response=ack
2021-08-11T01:16:25.381943Z I-6016-EP R> : icexsTrace-icexs5-20210811-1116-037.trc64:0000314 | 8 MH18000000000000000731127354 P AMQ LUXP112 , ` * MHS18P1 020420210811111624901010P1-001SW10.15.35.81 516fc0b3f6cd49abac2247601381e9c8 EPAG CTBA00 CANONICAL CODE 736062787787
2021-08-11T01:16:25.381991Z E-6016-EP S> : icexsTrace-icexs5-20210811-1116-037.trc64:0000323 | _ *SAMPL1* SW051001 MHS18P1 SWLP1 ZP11SIV HXU4P73A MHS18P1 020420210811111624901010P1-001SW10.15.35.81 516fc0b3f6cd49abac2247601381e9c8 EPAG CTBA00 CANONICAL CODE 736062787787
2021-08-11T01:16:25.422824Z E-6016-EP R< : icexsTrace-icexs5-20210811-1116-037.trc64:0000392 | ' MHS18P1 020420210811111624901010P1-001SW10.15.35.81 516fc0b3f6cd49abac2247601381e9c8 EPAG CTBA00 00CANONICAL CODE 736062787787 001000000000879575CR000000000879575CRAUD00000000000000000000000000000013d46777ec304eadb673f30ed0487f99 *CSMOKY*
2021-08-11T01:16:25.423000Z I-6016-EP S< : icexsTrace-icexs5-20210811-1116-037.trc64:0000399 | 8 MH18000000000000000731127354 MHS18P1 020420210811111624901010P1-001SW10.15.35.81 516fc0b3f6cd49abac2247601381e9c8 EPAG CTBA00 00CANONICAL CODE 736062787787 001000000000879575CR000000000879575CRAUD00000000000000000000000000000013d46777ec304eadb673f30ed0487f99
2021-08-11T01:16:25.428780Z E-6053-EP R< : icexsTrace-icexs5-20210811-1116-037.trc64:0000419 | <BusMsg> <AppHdr xmlns="urn:iso:std:iso:20022:tech:xsd:head.001.001.01"> <Fr> <FIId> <FinInstnId> <BICFI>RSBKAUFSXXX</BICFI> </FinInstnId> </FIId> </Fr> <To> <FIId> <FinInstnId> <BICFI>WPACAU2SXXX</BICFI> </FinInstnId> </FIId> </To> <BizMsgIdr>RSBKAUFSXXX20210811000116253109041</BizMsgIdr> <MsgDefIdr>pacs.002.001.06</MsgDefIdr> <BizSvc>npp.stlmnt.01-sct.04</BizSvc> <CreDt>2021-08-11T01:16:25.310Z</CreDt> <Prty>NORM</Prty> </AppHdr> <Document xmlns="urn:iso:std:iso:20022:tech:xsd:pacs.002.001.06"> <FIToFIPmtStsRpt> <GrpHdr> <MsgId>RSBKAUFSXXX20210811000116253109041</MsgId> <CreDtTm>2021-08-11T01:16:25.310Z</CreDtTm> <InstgAgt> <FinInstnId> <BICFI>RSBKAUFSXXX</

And Each line represents a event in my log , So i have defined the below sourcetype settings -

[ <SOURCETYPE NAME> ]
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)
NO_BINARY_CHECK=true
CHARSET=AUTO
disabled=false

But Still i could see events timestamp as UTC format only in Splunk , How would i change it have to AEST Timezone for events..

Could you please help with the settings ??

m_pham · ‎08-16-2021

The source of truth for the timestamp is in the log itself. What you want to do is set your timezone for your user preference within Splunk so that it shows your preferred time zone when you run your searches.

On your search head, click on: Username > Preferences > Time Zone

Splunk Cloud - props.conf setting for changing TZ to AEST for my events data in UTC format

props.conf

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?