https://community.splunk.com/t5/Getting-Data-In/indexing-multiple-timezone-data/m-p/210731#M41514 <P>So many things (exceptions) are changing in the pipeline lately (e.g. <CODE>INDEXED_ETRACTIONS</CODE>) that I am starting to feel like I need to re-evaluate everything that I think I know). In any case, I will take your word for it that this will for sure need a Heavy Forwarder (indexing twice) to make A1 work.</P> Sun, 01 Nov 2015 18:03:40 GMT woodcock 2015-11-01T18:03:40Z https://community.splunk.com/t5/Getting-Data-In/indexing-multiple-timezone-data/m-p/210723#M41506 <P>We currently have 4 servers that send data to the Splunk indexer. Each server is located in different time zone, Our indexer is in CST timezone. We want to index the data in CST time. Is there anyway it can be before indexing the data. </P> Fri, 30 Oct 2015 19:25:05 GMT https://community.splunk.com/t5/Getting-Data-In/indexing-multiple-timezone-data/m-p/210723#M41506 tmuthuk 2015-10-30T19:25:05Z https://community.splunk.com/t5/Getting-Data-In/indexing-multiple-timezone-data/m-p/210724#M41507 <P>Your question is not specific enough to give you a specific answer but let me cover all the bases.</P> <P>Q1:<BR /> How do I modify the raw data so that the timestamp is converted to CST?<BR /> A1:<BR /> Use this solution while discriminating with <CODE>host-based</CODE> stanza headers in <CODE>props.conf</CODE> (each host is in a particular timezone so you know how to modify the timestamp for particular TZs).<BR /> <A href="http://docs.splunk.com/Documentation/Splunk/6.2.0/Data/Anonymizedatausingconfigurationfiles">http://docs.splunk.com/Documentation/Splunk/6.2.0/Data/Anonymizedatausingconfigurationfiles</A><BR /> Be sure to also see Q2/A2 and specify <CODE>TZ=CST</CODE> now that you have munged all timestamps to that TZ (you can use a <CODE>[default]</CODE> insteiad of <CODE>host-based</CODE> stanza header).<BR /> This might have to be done with a Heavy Forwarder (Index twice).</P> <P>Q2:<BR /> How do I ensure that Splunk knows what TZ goes with which host so that events get timestamped correctly?<BR /> A2:<BR /> <A href="http://docs.splunk.com/Documentation/Splunk/latest/data/Applytimezoneoffsetstotimestamps">http://docs.splunk.com/Documentation/Splunk/latest/data/Applytimezoneoffsetstotimestamps</A></P> <P>Q3:<BR /> How do I make sure that Splunk normalizes my environment so that I can specify <CODE>TimePicker</CODE> values in my local time and see events with times displayed in my local time?<BR /> A3:<BR /> There is a user/login-level setting that tells Splunk how to normalize timestamps when presenting data to each user. It is in <CODE>Settings</CODE> -&gt; <CODE>Edit Account</CODE> -&gt; <CODE>Times zone</CODE>. Once this is set, the <CODE>TimePicker</CODE> part is solved. This normalized time is shown only if you select <CODE>List</CODE> or <CODE>Table</CODE> (e.g. not <CODE>Raw</CODE>) in the upper-left corner control which is above the search results. Doing so adds a <CODE>Time</CODE> column next to the <CODE>Event</CODE> column showing <CODE>_time</CODE> normalized to your TZ for each event.</P> Fri, 30 Oct 2015 19:49:00 GMT https://community.splunk.com/t5/Getting-Data-In/indexing-multiple-timezone-data/m-p/210724#M41507 woodcock 2015-10-30T19:49:00Z https://community.splunk.com/t5/Getting-Data-In/indexing-multiple-timezone-data/m-p/210725#M41508 <P>The best thing to do is to add timezone information to the events at the source. Instead of <CODE>2015-10-31 14:15:16.123</CODE>, make it produce <CODE>2015-10-31 14:15:16.123 -0500</CODE>. Then Splunk will automagically do the right thing.</P> Sun, 01 Nov 2015 00:14:19 GMT https://community.splunk.com/t5/Getting-Data-In/indexing-multiple-timezone-data/m-p/210725#M41508 martin_mueller 2015-11-01T00:14:19Z https://community.splunk.com/t5/Getting-Data-In/indexing-multiple-timezone-data/m-p/210726#M41509 <P>A1 cannot work, regex replacements happen after timestamp extraction.</P> Sun, 01 Nov 2015 00:14:26 GMT https://community.splunk.com/t5/Getting-Data-In/indexing-multiple-timezone-data/m-p/210726#M41509 martin_mueller 2015-11-01T00:14:26Z https://community.splunk.com/t5/Getting-Data-In/indexing-multiple-timezone-data/m-p/210727#M41510 <P>"Best" is certainly debatable in the broadest sense. Doing this adds several bytes to each message and costs license and disk space. Granted, it is the most foolproof way to ensure correct timestamping.</P> Sun, 01 Nov 2015 03:19:53 GMT https://community.splunk.com/t5/Getting-Data-In/indexing-multiple-timezone-data/m-p/210727#M41510 woodcock 2015-11-01T03:19:53Z https://community.splunk.com/t5/Getting-Data-In/indexing-multiple-timezone-data/m-p/210728#M41511 <P>Have you tried this (recently) or can you point to documentation to back up this claim? The reason I ask (I have not tested it) is because <CODE>SEDCMD</CODE> happens before indexing (that is the whole point) and because some <CODE>timestamping</CODE> does (can) happen later or else <CODE>TZ_ALIAS</CODE> could not work. The fact that it does work very heavily implies that <CODE>_raw</CODE> finalizes before <CODE>date_zone</CODE> does. If so, then A1 can work.</P> Sun, 01 Nov 2015 03:29:35 GMT https://community.splunk.com/t5/Getting-Data-In/indexing-multiple-timezone-data/m-p/210728#M41511 woodcock 2015-11-01T03:29:35Z https://community.splunk.com/t5/Getting-Data-In/indexing-multiple-timezone-data/m-p/210729#M41512 <P>Timestamp extraction happens in the merging pipeline, while regexreplacement happens after that in the typing pipeline.</P> <P><A href="https://wiki.splunk.com/Community:HowIndexingWorks">https://wiki.splunk.com/Community:HowIndexingWorks</A></P> Sun, 01 Nov 2015 12:39:53 GMT https://community.splunk.com/t5/Getting-Data-In/indexing-multiple-timezone-data/m-p/210729#M41512 martin_mueller 2015-11-01T12:39:53Z https://community.splunk.com/t5/Getting-Data-In/indexing-multiple-timezone-data/m-p/210730#M41513 <P>I'd take reliable timestamps over a few bytes of license any day of the week.</P> Sun, 01 Nov 2015 12:42:55 GMT https://community.splunk.com/t5/Getting-Data-In/indexing-multiple-timezone-data/m-p/210730#M41513 martin_mueller 2015-11-01T12:42:55Z https://community.splunk.com/t5/Getting-Data-In/indexing-multiple-timezone-data/m-p/210731#M41514 <P>So many things (exceptions) are changing in the pipeline lately (e.g. <CODE>INDEXED_ETRACTIONS</CODE>) that I am starting to feel like I need to re-evaluate everything that I think I know). In any case, I will take your word for it that this will for sure need a Heavy Forwarder (indexing twice) to make A1 work.</P> Sun, 01 Nov 2015 18:03:40 GMT https://community.splunk.com/t5/Getting-Data-In/indexing-multiple-timezone-data/m-p/210731#M41514 woodcock 2015-11-01T18:03:40Z https://community.splunk.com/t5/Getting-Data-In/indexing-multiple-timezone-data/m-p/210732#M41515 <P>Adding a HF will move the pipelines' processors to the HF, but the order remains the same. You'd have to cook the data twice, which is usually more trouble than it's worth.</P> <P><A href="https://answers.splunk.com/answers/224312/hf1-hf2-indexer-how-to-route-a-set-of-data-that-ha.html">https://answers.splunk.com/answers/224312/hf1-hf2-indexer-how-to-route-a-set-of-data-that-ha.html</A></P> <P>Setting TZ per host is much easier than trying to modify the timestamp string per host using regex.</P> Sun, 01 Nov 2015 18:14:59 GMT https://community.splunk.com/t5/Getting-Data-In/indexing-multiple-timezone-data/m-p/210732#M41515 martin_mueller 2015-11-01T18:14:59Z