UTC Time Zone Offset Not Working for Host

ejwade — Fri, 17 May 2019 21:37:14 GMT

I have a single Linux syslog stream, containing logs from multiple hosts, coming into a Splunk indexer through a TCP port - 1027. The source=tcp:1027 and sourcetype=syslog. The host is assigned using default settings, but I also have the following in place:

props.conf
[source::tcp:1027]
TRANSFORMS-syslog-forwarded-hostrewrite01=syslog-forwarded-hostrewrite01

transforms.conf
[syslog-forwarded-hostrewrite01]
DEST_KEY = MetaData:Host
REGEX = ^\S+\s+[0-9]+\s+[:0-9]+\s\S+\sMessage forwarded\sfrom\s?(\S+):
FORMAT = host::$1
disabled = 0

There's a specific host "utc-host" that is send logs in UTC. Our indexer and users are in Pacific Time. To offset this, I created the following configuration:

props.conf
[host::utc-host]
TZ = UTC

Unfortunately, this did not work. I did cmd btool props list to confirm the configurations were committing to Splunk's running configuration. Any tips?

Re: UTC Time Zone Offset Not Working for Host

richgalloway — Sat, 18 May 2019 12:47:17 GMT

btool shows the configuration that will be used the next time Splunk restarts. Did you restart Splunk after making changes to props.conf?

Re: UTC Time Zone Offset Not Working for Host

ejwade — Mon, 20 May 2019 16:12:06 GMT

Yes - many times.

topic Re: UTC Time Zone Offset Not Working for Host in Getting Data In

UTC Time Zone Offset Not Working for Host

Re: UTC Time Zone Offset Not Working for Host

Re: UTC Time Zone Offset Not Working for Host