https://community.splunk.com/t5/Getting-Data-In/IIS-DST-Time-Conversion-Problem/m-p/66320#M13328 <P>I have been searching the forums for a solution to my problem, but have not found a solution that has worked. So I decided to try asking.</P> <P>I have a remote server running IIS that has Splunk (4.3.1) installed and setup as a lightweight forwarder. I have Splunk grabbing the local IIS logs and sending them to my main Splunk (4.3.1) indexer. On the remote system, I have not made any changes to conf files. On the indexer, I setup the props.conf file with this:</P> <PRE><CODE>[iis-3] pulldown_type = true MAX_TIMESTAMP_LOOKAHEAD = 32 SHOULD_LINEMERGE = False REPORT-iis_default = iis_referer TRANSFORMS-comment = comment TZ=Europe/London </CODE></PRE> <P>"iis-3" is the sourcetype and "iis_referer" is the transforms mapping that I created. </P> <P>The logs are being parsed fine for all their values except the time. The time zone setting of "Europe/London" was working correctly until the last Daylight Savings Time (DST) change. The index server and I are in "America/Los_Angeles". The indexer retrieves time from an NTP server and is set to the correct time and time zone. If I run a query to see the latest event in the IIS log, it shows the latest event (in a Splunk translated time) of 1 hour earlier than what it should be showing.</P> <P>Do I need to use another TZ value or something else?</P> Sat, 02 Jun 2012 00:58:25 GMT Justin 2012-06-02T00:58:25Z https://community.splunk.com/t5/Getting-Data-In/IIS-DST-Time-Conversion-Problem/m-p/66320#M13328 <P>I have been searching the forums for a solution to my problem, but have not found a solution that has worked. So I decided to try asking.</P> <P>I have a remote server running IIS that has Splunk (4.3.1) installed and setup as a lightweight forwarder. I have Splunk grabbing the local IIS logs and sending them to my main Splunk (4.3.1) indexer. On the remote system, I have not made any changes to conf files. On the indexer, I setup the props.conf file with this:</P> <PRE><CODE>[iis-3] pulldown_type = true MAX_TIMESTAMP_LOOKAHEAD = 32 SHOULD_LINEMERGE = False REPORT-iis_default = iis_referer TRANSFORMS-comment = comment TZ=Europe/London </CODE></PRE> <P>"iis-3" is the sourcetype and "iis_referer" is the transforms mapping that I created. </P> <P>The logs are being parsed fine for all their values except the time. The time zone setting of "Europe/London" was working correctly until the last Daylight Savings Time (DST) change. The index server and I are in "America/Los_Angeles". The indexer retrieves time from an NTP server and is set to the correct time and time zone. If I run a query to see the latest event in the IIS log, it shows the latest event (in a Splunk translated time) of 1 hour earlier than what it should be showing.</P> <P>Do I need to use another TZ value or something else?</P> Sat, 02 Jun 2012 00:58:25 GMT https://community.splunk.com/t5/Getting-Data-In/IIS-DST-Time-Conversion-Problem/m-p/66320#M13328 Justin 2012-06-02T00:58:25Z https://community.splunk.com/t5/Getting-Data-In/IIS-DST-Time-Conversion-Problem/m-p/66321#M13329 <P>I thought that IIS logs were always stored in UTC. If so, your setting should say</P> <PRE><CODE>TZ=UTC </CODE></PRE> <P>I wonder if perhaps you have been affected by "British Summer Time" - as <CODE>Europe/London</CODE> would be affected by that, while <CODE>UTC</CODE> would not... I don't think the problem is caused by the "America/Los Angeles" setting.</P> Mon, 04 Jun 2012 20:36:18 GMT https://community.splunk.com/t5/Getting-Data-In/IIS-DST-Time-Conversion-Problem/m-p/66321#M13329 lguinn2 2012-06-04T20:36:18Z https://community.splunk.com/t5/Getting-Data-In/IIS-DST-Time-Conversion-Problem/m-p/66322#M13330 <P>I was able to get the time conversion to work. What I did was upgrade to splunk version 4.3.2 on the forwarder and indexer, added spaces around the "=" for the TZ variable, changed the timezone to "Africa/Casablanca", and I restarted the splunkd service on the indexer. I am not sure if all of those were required for the fix, but after I did all that the time conversions started working.</P> <P>Here is the new props.conf config from the indexer for reference.</P> <PRE><CODE>[iis-3] pulldown_type = true MAX_TIMESTAMP_LOOKAHEAD = 32 SHOULD_LINEMERGE = False REPORT-iis_referer = iis_referer TRANSFORMS-comment = comment TZ = Africa/Casablanca </CODE></PRE> Fri, 08 Jun 2012 19:48:02 GMT https://community.splunk.com/t5/Getting-Data-In/IIS-DST-Time-Conversion-Problem/m-p/66322#M13330 Justin 2012-06-08T19:48:02Z