topic Re: Defining time zone (TZ) value for Manual Host Extraction for syslog input in Getting Data In

Defining time zone (TZ) value for Manual Host Extraction for syslog input

akshatj2 — Fri, 14 Sep 2018 22:15:16 GMT

HI All,

I have created an inputs stanza for syslog input and created a manual host override using transforms. I tried to change the TZ value per host but it is not working. However, it works fine, if used per source type.
Kindly suggest how to fix

Inputs.conf

  [tcp://<port>]
    sourcetype = <custom_sourcetype>

Props.conf

 [host::ABC]
    TZ = UTC
    [host::DEF]
    TZ = Europe/London

Re: Defining time zone (TZ) value for Manual Host Extraction for syslog input

itradeclayton — Sun, 25 Aug 2019 16:26:24 GMT

Did you ever figure this out? It's driving me crazy. I can't change all my "syslog" sourcetypes to the same timezone. I need to change by host or source etc.

Re: Defining time zone (TZ) value for Manual Host Extraction for syslog input

akshatj2 — Sun, 25 Aug 2019 17:07:48 GMT

Could you tell me where are you trying to define the TZ value

i would assume you have a heavy forwarder in place which is used to receive messages from syslog.

If yes you can try to set TZ value in your HF it should work. Also, make sure that splunk is taking time from the logs by setting appropriate Time Prefix and Time Format.

If still does not work can you give me more details so I can try to help you.

Re: Defining time zone (TZ) value for Manual Host Extraction for syslog input

itradeclayton — Sun, 25 Aug 2019 17:15:38 GMT

I eventually figured it out... it just always seems to take some fiddling... the syntax for this doesn't always match what you can do in inputs.conf it seems. Thanks!