topic Re: Getting the timezone from the operating system for a universal forwarder in Getting Data In

Getting the timezone from the operating system for a universal forwarder

TONYBYERS — Thu, 11 Dec 2014 16:17:20 GMT

Some log events do not have timezone information in it so I need to set the timezone in the props.conf on the forwarder. This works fine however we have many universal forwarders in multiple timezone and it would be useful to have one standard build. Is it possible to get the forwarder to get the timezone information from the underlying OS?

Re: Getting the timezone from the operating system for a universal forwarder

aljohnson_splun — Fri, 12 Dec 2014 18:36:58 GMT

You may want to look at how timestamp assignment works.

Re: Getting the timezone from the operating system for a universal forwarder

TONYBYERS — Fri, 12 Dec 2014 19:52:26 GMT

Thanks. I was hoping the that I could get the timezone information from the OS so I do not have to have a specific build for each timezone

Re: Getting the timezone from the operating system for a universal forwarder

lguinn2 — Fri, 12 Dec 2014 22:09:37 GMT

As of version 6, Splunk forwarders provide the local OS timezone as the default. If the data (the log file or whatever) does not specify a timezone, the local OS timezone will be used.

"If an event that arrives at an indexer originated at a forwarder, and both the forwarder and the receiving indexer run Splunk Enterprise 6.0 or later, then Splunk Enterprise uses the time zone that the forwarder provides." from the Getting Data In manual.

Re: Getting the timezone from the operating system for a universal forwarder

TONYBYERS — Mon, 15 Dec 2014 14:52:35 GMT

I saw that in the documentation but I don't think it works that way. If there is no timezone information in the event and nothing in the props.conf on the forwarder then there will be no timezone information sent from the forwarder. If there was then the last statement in the documentation would be redundant "Splunk Enterprise uses the time zone of the server that indexes the event. ". Or I am misreading the documentation?

Thanks

Re: Getting the timezone from the operating system for a universal forwarder

lguinn2 — Mon, 15 Dec 2014 17:54:05 GMT

I assure that it works that way. As of Splunk 6.0, the data packet sent from the forwarder to the indexer always includes basic info about the forwarder itself, including the forwarder's local system timezone.

You are misreading the documentation. "Splunk Enterprise uses the time zone of the server that indexes the event." means that, if all else fails, Splunk will use the indexer's timezone.

It is very common for Splunk forwarders to be versions behind the indexers. So if you have a 5.x forwarder, you can certainly forward to a 6.x indexer. In that case, there will be no forwarder local system time - and the default timezone will be the timezone of the indexer. If you have a 6.x forwarder, the default will be the timezone of the forwarder.

Re: Getting the timezone from the operating system for a universal forwarder

TONYBYERS — Tue, 16 Dec 2014 19:48:46 GMT

I am getting very odd behaviour here and it is more complex that I originally thought. What I am going to do is open a case with Splunk support - even though I believe you work for Splunk, I need this tracked. Thanks for reaching out to me and trying to fix it. Tony

Re: Getting the timezone from the operating system for a universal forwarder

lguinn2 — Tue, 16 Dec 2014 21:13:44 GMT

Absolutely open a case with Support - that's the right thing to do when stuff doesn't seem to work as it should!

Re: Getting the timezone from the operating system for a universal forwarder

TONYBYERS — Fri, 19 Dec 2014 19:47:13 GMT

Thanks once again for your help - the problem turned out to be user error - in other words, I hadn't read the documentation correctly and had misconfigured props.conf