topic Re: Timezone conversion issue on HF in Getting Data In

Timezone conversion issue on HF

bkumarm — Tue, 29 Sep 2020 10:18:44 GMT

We have a HF in UTC timezone that is received log events from an Universal Forwarder running on EDT timezone.
The log events are in UTC timezone.
The HF is configured in non-indexer mode (Indexandforward = false in props.conf ) and
the HF is forwarding the events into an external application attaching a header (Time, hostname)

The issues is:
The time that HF is attaching is in EDT timezone. we want this to be in UTC timezone.

Anyone faced this kind of issue? please suggest solutions.

Below are config details:
props.conf
[mysourcetype]
TRANSFORMS-route_log = route_log_external

transforms.conf
[route_log_external]
REGEX = .
DEST_KEY = _SYSLOG_ROUTING
FORMAT = external_out

outputs.conf
[syslog]
defaultGroup = none
maxEventSize = 50000

[syslog:external_out]
server = 127.0.0.1:12121
type = tcp
timestampformat = %b %e %H:%M:%S

Re: Timezone conversion issue on HF

Raschko — Wed, 27 Jul 2016 00:27:31 GMT

Have you set the timezone on the first HF to EDT for this input stanza?

props.conf :

TZ = <timezone identifier>

If the timezone is in the log events, Splunk will use this timezone (from props.conf Splunk docs).

Re: Timezone conversion issue on HF

ddrillic — Wed, 27 Jul 2016 01:27:19 GMT

You are saying -
-- The log events are in UTC timezone.

So, the time in the log events is not in the format of -0500, GMT, right? otherwise you would have received the events in the UTC timezone.

You should probably "force" the timezone at the forwarder level.

Re: Timezone conversion issue on HF

bkumarm — Wed, 27 Jul 2016 13:19:23 GMT

We don't have any TZ specified in props.conf on the UF at the source.
I have updated the description above with additional info.

Re: Timezone conversion issue on HF

bkumarm — Wed, 27 Jul 2016 13:22:14 GMT

Yes, we do not get log events in the format -0500, GMT
could you please explain how to "force" the timezone at UF level? and how would that affect when event is forwarded again from HF?

Re: Timezone conversion issue on HF

Raschko — Wed, 27 Jul 2016 13:33:24 GMT

Please try to set one in props.conf as I described above using your timezone identifier for EDT.

Re: Timezone conversion issue on HF

ddrillic — Wed, 27 Jul 2016 13:38:05 GMT

If the log event can have an explicit time zone then it's obviously the best choice.
If not, then apparently props.conf on the indexer is the proper place to "force" it.