How can I immediately verify my changes have put these host's new events in the correct TZ?

woodams — Thu, 08 Sep 2022 20:14:13 GMT

I have a number of hosts sending logs "in the future". I've configured my indexer's props.conf to adjust the TZ for the select few problem children and restarted the indexer.

How can I immediately verify my changes have put these host's new events in the correct TZ (meaning, no longer in the future)

Basically the existing "future events" are making the timeline noisy and I can't see where (or perhaps *when*) new events are coming in. I could wait several hours for them to clear out, but that's not ideal.

Re: How can I immediately verify my changes have put these host's new events in the correct TZ?

andrew_nelson — Fri, 09 Sep 2022 11:03:26 GMT

Quickest way is to get the most recently indexed event and check what _time its being indexed at.
First set your search timeframe to Today or Earliest : -1d Latest : +1d. (This will catch TZ errors. Anything more than 1 day in the future is likely not TZ issue)

You can access the actual time your indexer processed the event with _indextime.

Something like:

index=abc sourcetype=xyz host=123 | eval time=_time, index_time=_indextime | eval _time=index_time | stats latest(time) as lastLog | convert ctime(lastLog)

By swapping in the time the indexer processed the events for _time, you can get the latest values based on the most recently received events and not the time they were indexed at.

topic How can I immediately verify my changes have put these host's new events in the correct TZ? in Getting Data In

How can I immediately verify my changes have put these host's new events in the correct TZ?

Re: How can I immediately verify my changes have put these host's new events in the correct TZ?