https://community.splunk.com/t5/Getting-Data-In/How-to-set-timezone-in-an-advanced-configuration/m-p/10442#M366 <P>Cross-referencing @Sorkin's <A href="http://splunk-base.splunk.com/answers/11768/timezone-offset">answer</A> to a timezone question.</P> Sat, 03 Sep 2011 18:07:47 GMT lguinn2 2011-09-03T18:07:47Z https://community.splunk.com/t5/Getting-Data-In/How-to-set-timezone-in-an-advanced-configuration/m-p/10432#M356 <P>If I have a basic input which sets the sourcetype, configuring a timezone offset works great:</P> <P>In inputs.conf:</P> <PRE><CODE>[monitor:///path/to/foo.log] sourcetype = foo </CODE></PRE> <P>In props.conf:</P> <PRE><CODE>[foo] TZ = GMT </CODE></PRE> <P>If I have to setup flexible sourcetyping, the above configuration does not work:</P> <P>In inputs.conf:</P> <PRE><CODE>[monitor:///path/to/foo.log] </CODE></PRE> <P>In props.conf:</P> <PRE><CODE>[source::...foo.log] TRANSFORMS-abc = setFooSourcetype, setBarSourcetype [foo] TZ = GMT </CODE></PRE> <P>I'm guessing the timezone is set before the new sourcetype is applied so that is why the TZ parameter is not honored. So I then tried to set the timezone offset using host, which also does not work (no matter the ordering of the stanzas):</P> <PRE><CODE>[source::...foo.log] TRANSFORMS-abc = setFooSourcetype [host::foohost*] TZ = GMT </CODE></PRE> <P>What other options do I have? I'm not sure where in the indexing pipeline metadata is set.</P> Sat, 20 Mar 2010 08:51:46 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-set-timezone-in-an-advanced-configuration/m-p/10432#M356 hulahoop 2010-03-20T08:51:46Z https://community.splunk.com/t5/Getting-Data-In/How-to-set-timezone-in-an-advanced-configuration/m-p/10433#M357 <P>The <CODE>TZ</CODE> parameter is used and set by the parsing pipeline: <A href="http://www.splunk.com/wiki/Where_do_I_configure_my_Splunk_settings%3F" rel="nofollow">http://www.splunk.com/wiki/Where_do_I_configure_my_Splunk_settings%3F</A> and I believe that timestamp processing occurs before any TRANSFORMS. Setting <CODE>TZ</CODE> with a <CODE>host::</CODE> or <CODE>source::</CODE> stanza should work (as it does with a sourcetype), so I'm not sure why it isn't working for you. Is there another stanza that might also be matching and overriding?</P> Sun, 21 Mar 2010 01:56:44 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-set-timezone-in-an-advanced-configuration/m-p/10433#M357 gkanapathy 2010-03-21T01:56:44Z https://community.splunk.com/t5/Getting-Data-In/How-to-set-timezone-in-an-advanced-configuration/m-p/10434#M358 <P>I think that is precisely the problem--"timestamp processing occurs before any TRANSFORMS." This data stream requires a sourcetype and host override. Is there a way to re-process TZ <EM>after</EM> the sourcetype and host override? Can I create my own processor for this or edit the pipeline order for the parsing queue?</P> <P>More details: all events are streamed via TCP by a syslog server, except the events are not in syslog format. So we need to add index-time rules to assign sourcetype and host.</P> Mon, 22 Mar 2010 09:30:49 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-set-timezone-in-an-advanced-configuration/m-p/10434#M358 hulahoop 2010-03-22T09:30:49Z https://community.splunk.com/t5/Getting-Data-In/How-to-set-timezone-in-an-advanced-configuration/m-p/10435#M359 <P>oh, okay, yes if you're setting host in props/transforms, then no stanza referring to them is going to work (by that host). Are all events from multiple hosts coming in from that same syslog server? Is it possible to split the hosts from different time zones to different syslog servers <EM>or</EM> different TCP ports?</P> Mon, 22 Mar 2010 21:24:09 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-set-timezone-in-an-advanced-configuration/m-p/10435#M359 gkanapathy 2010-03-22T21:24:09Z https://community.splunk.com/t5/Getting-Data-In/How-to-set-timezone-in-an-advanced-configuration/m-p/10436#M360 <P>Thank you, G. We are still in the eval stage here so are reluctant to make changes like this in the production environment. The preference is to configure Splunk to handle this case if possible. Are you recommending we do not alter the parsing pipeline?</P> Tue, 23 Mar 2010 00:24:23 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-set-timezone-in-an-advanced-configuration/m-p/10436#M360 hulahoop 2010-03-23T00:24:23Z https://community.splunk.com/t5/Getting-Data-In/How-to-set-timezone-in-an-advanced-configuration/m-p/10437#M361 <P>You really want to declare the TZ by host, ideally, since the logs are almost certainly generated by some system in either its localtime or in GMT.</P> <P>However, sometimes life is more complicated than that, like syslog, where the host is identified via a transform, and the original host (used during timestamp extraction) is going to just be where we're acquiring the data.</P> <P>In this case you're going to just have to use a source pattern to get reasonable behavior, with the hosts split out into files, for example by syslog-ng.</P> <P>Of course if you have the option of simply altering the timestamp format to include the timezone, that's really ideal for ALL parties, not just Splunk.</P> Thu, 25 Mar 2010 02:16:20 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-set-timezone-in-an-advanced-configuration/m-p/10437#M361 jrodman 2010-03-25T02:16:20Z https://community.splunk.com/t5/Getting-Data-In/How-to-set-timezone-in-an-advanced-configuration/m-p/10438#M362 <P>In the current release of Splunk, in the exact scenario described above, it is not possible to apply TZ when using host/sourcetype overriding. The only alternative is to have the specific hosts forward directly to Splunk so as to create a dedicated source.</P> Wed, 14 Apr 2010 05:31:37 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-set-timezone-in-an-advanced-configuration/m-p/10438#M362 hulahoop 2010-04-14T05:31:37Z https://community.splunk.com/t5/Getting-Data-In/How-to-set-timezone-in-an-advanced-configuration/m-p/10439#M363 <P>I just ran into this problem. <span class="lia-unicode-emoji" title=":disappointed_face:">😞</span></P> Wed, 22 Dec 2010 04:09:10 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-set-timezone-in-an-advanced-configuration/m-p/10439#M363 vbumgarner 2010-12-22T04:09:10Z https://community.splunk.com/t5/Getting-Data-In/How-to-set-timezone-in-an-advanced-configuration/m-p/10440#M364 <P>Man, it would be nice if Splunk's WinEventLog inputs included timezone information.</P> Sat, 26 Feb 2011 00:51:56 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-set-timezone-in-an-advanced-configuration/m-p/10440#M364 gfriedmann 2011-02-26T00:51:56Z https://community.splunk.com/t5/Getting-Data-In/How-to-set-timezone-in-an-advanced-configuration/m-p/10441#M365 <P>If the timezone is declared at time of parsing, it is stored. However, the date parsing code essentially passes the buck for localtime to the system libc, so doesn't know it. Getting the offset is some work. Getting the timezone is pretty hard. However, this sounds like work worth doing. It would be very helpful if you could file an enhancement request with support with one or two use cases to add color to the need.</P> Wed, 02 Mar 2011 02:23:29 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-set-timezone-in-an-advanced-configuration/m-p/10441#M365 jrodman 2011-03-02T02:23:29Z https://community.splunk.com/t5/Getting-Data-In/How-to-set-timezone-in-an-advanced-configuration/m-p/10442#M366 <P>Cross-referencing @Sorkin's <A href="http://splunk-base.splunk.com/answers/11768/timezone-offset">answer</A> to a timezone question.</P> Sat, 03 Sep 2011 18:07:47 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-set-timezone-in-an-advanced-configuration/m-p/10442#M366 lguinn2 2011-09-03T18:07:47Z