https://community.splunk.com/t5/Getting-Data-In/Overriding-TZ-for-source/m-p/22694#M3522 <P>I have a JBoss/Tomcat access log that has an incorrect Timezone configuration, causing Splunk to set the time to an hour ahead.</P> <P>172.21.138.35 - - [09/Apr/2012:15:51:56.783 -0800] "HEAD /index.html HTTP/1.1" 200 0</P> <P>The server is correctly set at PDT, but something is setting this log to stay at -0800. The developer isn't sure where this is set, and would take some time to correct even when we do find the location. How do I properly change the time for this source? It occurs on several hosts (dev/test/staging/production), but only for this source file.</P> <P>I've set props.conf on the indexer to:<BR /> [source::/my/app/path/localhost_access*]<BR /> TZ=PDT</P> <P>Is this incorrect? It didn't change the behavior and I verified with btool that it's in effect.</P> Mon, 09 Apr 2012 23:00:13 GMT mikelanghorst 2012-04-09T23:00:13Z https://community.splunk.com/t5/Getting-Data-In/Overriding-TZ-for-source/m-p/22694#M3522 <P>I have a JBoss/Tomcat access log that has an incorrect Timezone configuration, causing Splunk to set the time to an hour ahead.</P> <P>172.21.138.35 - - [09/Apr/2012:15:51:56.783 -0800] "HEAD /index.html HTTP/1.1" 200 0</P> <P>The server is correctly set at PDT, but something is setting this log to stay at -0800. The developer isn't sure where this is set, and would take some time to correct even when we do find the location. How do I properly change the time for this source? It occurs on several hosts (dev/test/staging/production), but only for this source file.</P> <P>I've set props.conf on the indexer to:<BR /> [source::/my/app/path/localhost_access*]<BR /> TZ=PDT</P> <P>Is this incorrect? It didn't change the behavior and I verified with btool that it's in effect.</P> Mon, 09 Apr 2012 23:00:13 GMT https://community.splunk.com/t5/Getting-Data-In/Overriding-TZ-for-source/m-p/22694#M3522 mikelanghorst 2012-04-09T23:00:13Z https://community.splunk.com/t5/Getting-Data-In/Overriding-TZ-for-source/m-p/22695#M3523 <P>Splunk uses zoneinfo TZ database values (see <A href="http://docs.splunk.com/Documentation/Splunk/4.3.1/data/Applytimezoneoffsetstotimestamps">http://docs.splunk.com/Documentation/Splunk/4.3.1/data/Applytimezoneoffsetstotimestamps</A> and <A href="http://en.wikipedia.org/wiki/List_of_zoneinfo_timezones">http://en.wikipedia.org/wiki/List_of_zoneinfo_timezones</A> ). Did you try US/Pacific for the TZ value?</P> Mon, 09 Apr 2012 23:26:17 GMT https://community.splunk.com/t5/Getting-Data-In/Overriding-TZ-for-source/m-p/22695#M3523 ChrisG 2012-04-09T23:26:17Z https://community.splunk.com/t5/Getting-Data-In/Overriding-TZ-for-source/m-p/22696#M3524 <P>Yes, I just tried TZ=US/Pacific, but no change.</P> <P>» 4/9/12<BR /> 5:29:41.000 PM </P> <P>[09/Apr/2012:16:29:41 -0800] 172.27.140.119 user1 - HTTP/1.1 POST 200 8969 98 /app/unitSubstitution/loadJSON</P> Mon, 09 Apr 2012 23:31:37 GMT https://community.splunk.com/t5/Getting-Data-In/Overriding-TZ-for-source/m-p/22696#M3524 mikelanghorst 2012-04-09T23:31:37Z https://community.splunk.com/t5/Getting-Data-In/Overriding-TZ-for-source/m-p/22697#M3525 <P>Some additional things worth trying:</P> <P>First, set an explicit <CODE>TIME_FORMAT</CODE> and <CODE>MAX_TIMESTAMP_LOOKAHEAD</CODE> in addition to a <CODE>TZ</CODE> for this source. Make the <CODE>TIME_FORMAT</CODE> and <CODE>MAX_TIMESTAMP_LOOKAHEAD</CODE> explicitly ignore the "-0800" bit, preferably by setting <CODE>MAX_TIMESTAMP_LOOKAHEAD</CODE> small enough to where the "-0800" part isn't considered.</P> <P>If that doesn't work, as hideous as it is you could filter out the "-0800" using a SEDCMD. (I really hope it doesn't come to this)</P> Tue, 10 Apr 2012 00:27:04 GMT https://community.splunk.com/t5/Getting-Data-In/Overriding-TZ-for-source/m-p/22697#M3525 dwaddle 2012-04-10T00:27:04Z https://community.splunk.com/t5/Getting-Data-In/Overriding-TZ-for-source/m-p/22698#M3526 <P>Used the data import function on my local instance to set this up. Looks like this will be the answer.</P> Tue, 10 Apr 2012 15:22:56 GMT https://community.splunk.com/t5/Getting-Data-In/Overriding-TZ-for-source/m-p/22698#M3526 mikelanghorst 2012-04-10T15:22:56Z https://community.splunk.com/t5/Getting-Data-In/Overriding-TZ-for-source/m-p/22699#M3527 <P>You should be able to use <CODE>TZ_ALIAS</CODE> like this:</P> <PRE><CODE>TZ_ALIAS=-0800=PDT </CODE></PRE> Mon, 29 Jun 2015 03:48:36 GMT https://community.splunk.com/t5/Getting-Data-In/Overriding-TZ-for-source/m-p/22699#M3527 woodcock 2015-06-29T03:48:36Z