How to pull timezone from a field in each event?

rmjohns — Mon, 15 May 2023 13:48:58 GMT

Our server is forwarding events for us and includes some extra fields at the beginning of each event. One of those fields is the timezone offset of the server.

So the event might look like:

domain,hostname,timezone,path,log_message

Where the log_message contains a timestamp but the timestamp can be in different locations in the log_message and the timestamp can have different formats. The timestamp does not include timezone information.

Splunk does a good job of finding the timestamps and creating the _time to match, but I can't figure out how to apply the timezone field.

I really want to have in my props.conf to have TZ= reference the timezone field from the events:
TZ=timezone

but that doesn't seem to work.

Re: Pulling timezone from a field in each event.

rmjohns — Fri, 12 May 2023 20:23:12 GMT

Surprisingly, it seems to work if I add a TIMESTAMP_FIELDS line to the bottom of the source type section like:

[LOGDATA] EXTRACT-LOG = ^(?<domain>[^,]+),(?<host>[^,]+),[^,]+,[^,]+,[^,]+,(?<timezone>[^,]+),(?<sourcename>[^,]+),(?<TEXT>.+)$ TIME_FORMAT = %m/%d/%Y %H:%M:%S TIMESTAMP_FIELDS = _time, timezone

Splunk must create the _time field and then update it with the timezone?

topic Re: Pulling timezone from a field in each event. in Getting Data In

How to pull timezone from a field in each event?

Re: Pulling timezone from a field in each event.