topic Re: Change timezone of logs in Getting Data In

How to change timezone of logs?

smmehadi — Wed, 01 Mar 2023 14:58:28 GMT

We have setup splunk in our environment, and we have logs coming in from different geographies (US/UK/Asia). The logs, all have different timestamps, so we thought of converting them to same timezone (US/EST). For this we made changes in splunk forwarder (/opt/splunkforwarder/etc/apps/search/local/props.conf) to add:
[sourcetype::log4j]
TZ = US/Eastern

but still logs are coming with original time stamp. Then we made similar changs in /opt/splunkforwarder/etc/system/local/props.conf, but that too didn't worked (we restarted forwarder after these changes).

When we made these changes in splunk server (/opt/splunk/etc/system/local/props.conf), the time of log got changed, but it was incorrect. For example "7 Sep 5 AM" of london, appeared as "6 Sep 3 PM", which isn't as expected.
can you please help and how can i debug it?

Re: Change timezone of logs

smmehadi — Fri, 07 Sep 2012 08:41:18 GMT

expected time is "6 Sep 12 PM" (a difference of 5 hour from London time).

Re: Change timezone of logs

dwaddle — Sun, 09 Sep 2012 20:35:38 GMT

Internally, Splunk stores all times in GMT (as a C-style time_t seconds-since Jan 1 1970 00:00:00 GMT). The TZ property in props.conf tells Splunk what timezone the logfiles are from so that it can apply the proper offset to convert them to their GMT-equivalent before storing.

If the events themselves have a TZ defined in them, Splunk applies to offset based on that. Otherwise, the default TZ offset is the TZ of the system that parses the events - which will be either the Indexer or a Heavy Forwarder.

At search time, Splunk 4.3 allows lets you search in your current time zone as defined for your user, and events will be displayed at search time in that time zone.

Re: Change timezone of logs

smmehadi — Mon, 10 Sep 2012 05:00:13 GMT

Thanks, this resolved the issue.

Re: Change timezone of logs

dwaddle — Mon, 10 Sep 2012 14:18:25 GMT

Excellent. Could you please click the accepted-answer checkbox so this will be marked as solved?

Re: Change timezone of logs

srisplunk12 — Tue, 17 Jan 2017 21:01:33 GMT

Hi dwaddle., we are having a similar issue where one of the windows server is sending the log files in GMT but the splunk server is showing only for EST ,so we are receiving the files but with a latency.. So do i need to make changes in the UF that is installed on the windows system that is sending to HF which is connected to Cloud.
Also which phrase in prop.s conf i have the make these changes , can you pls help..

Re: Change timezone of logs

RickCurry — Tue, 18 Jul 2017 15:45:00 GMT

I suggest that you consider opening a new question and make a reference to the one which you have a similar need. It is likely that the only people that will see your question added to the old question are those like me who got here from the results of a search looking for this type of information. Using our own, new question will help assure that it is presented to the group and more likely get the attention it deserves.

To answer your question, the changed indicated above by @dwaddle go into the Indexer (or Heavy Forwarder) props.conf file in the stanza setup for your sourcetype.

Re: Change timezone of logs

Rashish — Wed, 01 Mar 2023 11:26:11 GMT

Hi Guys,

We am running in the similar issues. We are collecting windows security, registry changes & linux auth logs using UF which forwards data to IUF and then to Splunk Cloud indexers. The issue is we have the logs sources located in multiple geo location and each geo location has local IUF's hosted. However, we see some of the sources windows/linux servers are showing data in future.

How do we solve this?