topic Re: How to set the time zone in an index? in Getting Data In

How to set the time zone in an index?

renanprado96 — Thu, 14 Jul 2016 19:15:03 GMT

I want to set the time zone in an index.
The time zone is GMT -03: 00 (São Paulo - Brazil).
How do I do that?

Thank you!

Re: How to set the time zone in an index?

ddrillic — Thu, 14 Jul 2016 19:35:29 GMT

A good discussion at How and where does splunk determine host time zone ?

Re: How to set the time zone in an index?

muebel — Thu, 14 Jul 2016 19:47:34 GMT

Hi renanprado96, Unfortunately a timezone can't be associated with an index. Rather, each event has a timezone specified. In the best case this timezone is pulled directly from the event itself (the timestamp has a timezone splunk can recognize, or be configured to recognize)

Past that, in version 6.0+ Splunk will leverage the timezone set in the OS of the forwarding host. Finally, it will use the timezone of the indexer.

Timezone can also be configured on a per host/source/sourcetype manner by configuring as such in props.conf like so:

[host::nyc*]
TZ = US/Eastern

More info can be found here : http://docs.splunk.com/Documentation/Splunk/6.4.2/Data/Applytimezoneoffsetstotimestamps

Please let me know if this answers your question! 😄

Re: How to set the time zone in an index?

woodcock — Thu, 14 Jul 2016 20:01:23 GMT

The link provided in the other answer is a bit out of date and things have changed.

The highest precedence for TZ settings is an explicit value inside any event (provided the TIME_FORMAT is configured to see it). If this is not in place, then the next highest precedence for TZ settings is the props.conf that is on the forwarder, then the one on the Indexers. You can override the TZ setting inside the event by using TZ_ALIAS. There is no spec for index inside props.conf; there is only this:

<spec> can be:
1. <sourcetype>, the source type of an event.
2. host::<host>, where <host> is the host, or host-matching pattern, for an
                 event.
3. source::<source>, where <source> is the source, or source-matching
                     pattern, for an event.
4. rule::<rulename>, where <rulename> is a unique name of a source type
                     classification rule.
5. delayedrule::<rulename>, where <rulename> is a unique name of a delayed
                            source type classification rule.
                            These are only considered as a last resort
                            before generating a new source type based on the
                            source seen.

So you will have to work with sourcetype specification stanzas instead, which should be no problem.
http://docs.splunk.com/Documentation/Splunk/6.4.2/Admin/Propsconf

Re: How to set the time zone in an index?

renanprado96 — Fri, 15 Jul 2016 18:07:33 GMT

Hello, have not worked yet.
What did I do wrong?

[dbcmp_csv]
EXTRACT-jobname_ricoh = ^(?P<jobname_ricoh>\d+_&\d+&)
FIELD_NAMES = ClienteERP,Aplicacao,ClienteAplicacao,idHistoricoProducao,DataHoraInicio,DataHoraTermino,Quantidade,idEtapa,NomeArquivoImpressao,CentroImpressao,TipoProduto,FormatoPapel,Maquina,GrupoMaquina,Fabricante,SituacaoArqImpressao,SituacaoLote
INDEXED_EXTRACTIONS = csv
TIME_PREFIX = .{0,}DataHoraTermino=
TIME_FORMAT = %s%3N
TZ = America/Sao_Paulo
FIELD_DELIMITER = ,
KV_MODE = none
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
category = Structured
description = Comma-separated value format. Set header and other settings in "Delimited Settings"
disabled = false
pulldown_type = true

Thanks!

Re: How to set the time zone in an index?

renanprado96 — Fri, 15 Jul 2016 18:09:08 GMT

Hello, have not worked yet.
What did I do wrong?

[dbcmp_csv]
EXTRACT-jobname_ricoh = ^(?P<jobname_ricoh>\d+_&\d+&)
FIELD_NAMES = ClienteERP,Aplicacao,ClienteAplicacao,idHistoricoProducao,DataHoraInicio,DataHoraTermino,Quantidade,idEtapa,NomeArquivoImpressao,CentroImpressao,TipoProduto,FormatoPapel,Maquina,GrupoMaquina,Fabricante,SituacaoArqImpressao,SituacaoLote
INDEXED_EXTRACTIONS = csv
TIME_PREFIX = .{0,}DataHoraTermino=
TIME_FORMAT = %s%3N
TZ = GMT
TZ_ALIAS = GMT = GMT-3:00
FIELD_DELIMITER = ,
KV_MODE = none
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
category = Structured
description = Comma-separated value format. Set header and other settings in "Delimited Settings"
disabled = false
pulldown_type = true

Thank you!

Re: How to set the time zone in an index?

muebel — Tue, 29 Sep 2020 10:14:59 GMT

Hmm, my guess is that there is something up with the time_prefix and/or time_format config. From the spec:

If the TIME_PREFIX cannot be found in the event text, timestamp extraction will not occur.

Re: How to set the time zone in an index?

renanprado96 — Fri, 15 Jul 2016 18:25:57 GMT

TIME_PREFIX removed and still did not work :'(
I had already tried to removed it
I do not know what to do ..

Re: How to set the time zone in an index?

muebel — Fri, 15 Jul 2016 18:32:26 GMT

Is this props config set on the receiver? (heavy forwarder/indexer)

Setting on the Universal Forwarder isn't enough for it to be effective.

Re: How to set the time zone in an index?

renanprado96 — Fri, 15 Jul 2016 18:40:22 GMT

This configuration is defined in the Splunk server, the data is sent to a SQL database connected by dbConnect v2

Re: How to set the time zone in an index?

woodcock — Fri, 15 Jul 2016 18:48:15 GMT

Show me a sample event first. There is no way to validate your configurations otherwise.

Re: How to set the time zone in an index?

renanprado96 — Fri, 15 Jul 2016 19:17:36 GMT

In these samples the time should be at least 3 hours ago.

"2015-07-24 11:50:41" DATAAREAID="206", RECID=5637144596, DATAAREAID#2="206", ITEMID="002.0001.171", TRANSDATE=1437706800000, SUMOFQTYSEND=1.000000000000, SUMOFQTYRET=0E-12, RECIDLINE=5637184982, TRANSDATETIME=1437749441000, TRANSDATETIMETZID=37001, DATAAREAID#3="206", ITEMNAME="PRINT-INS-RICOH 5000 TINTA DYE PLUS BLACK"


"2015-07-24 11:50:41" DATAAREAID="206", RECID=5637144589, DATAAREAID#2="206", ITEMID="002.0001.163", TRANSDATE=1437706800000, SUMOFQTYSEND=1.000000000000, SUMOFQTYRET=0E-12, RECIDLINE=5637184981, TRANSDATETIME=1437749441000, TRANSDATETIMETZID=37001, DATAAREAID#3="206", ITEMNAME="PRINT-INS-TINTA PIGMENTADA PARA COLORSTREAM COR CYAN"

Re: How to set the time zone in an index?

woodcock — Fri, 15 Jul 2016 21:14:22 GMT

Your field names do not match the data in the events that you posted. Which is correct? Which field is the tmiestamp?

Re: How to set the time zone in an index?

renanprado96 — Mon, 18 Jul 2016 13:12:10 GMT

True, sorry!!

[dynamicsAX_csv]
FIELD_NAMES = DATAAREAID,RECID,DATAAREAID2,ITEMID,TRANSDATE,SUMOFQTYSEND,SUMOFQTYRET,RECIDLINE,TRANSDATETIME,DATAAREAID3,ITEMNAME
INDEXED_EXTRACTIONS = csv
TIME_PREFIX = .{0,}TRANSDATETIME=
TIME_FORMAT = %s%3N
TZ = GMT
TZ_ALIAS = GMT = GMT-3:00
FIELD_DELIMITER = ,
KV_MODE = none
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
category = Structured
description = Comma-separated value format. Set header and other settings in "Delimited Settings"
disabled = false
pulldown_type = true

I sent the wrong, but I applied in correct.
It was just a mess when sending.

Re: How to set the time zone in an index?

renanprado96 — Mon, 18 Jul 2016 18:00:22 GMT

It is possible to do this for search?

Re: How to set the time zone in an index?

renanprado96 — Mon, 18 Jul 2016 18:00:33 GMT

It is possible to do this for search?

Re: How to set the time zone in an index?

woodcock — Tue, 19 Jul 2016 14:42:33 GMT

Because you have opened another question for this and that one is progressing, the right thing to do is to pick the best "can't do that" answer in this question and click Accept to close this question.
https://answers.splunk.com/answers/432855/how-to-configure-the-timezone-by-sourcetype.html#comment-433036