topic Re: How to set time zone dynamically based on host name? in Getting Data In

How to set time zone dynamically based on host name?

joesrepsolc — Mon, 23 Sep 2019 16:31:33 GMT

I've got 95% of this new input working, but was hoping to also configure the TZ (dynamically) based on the host name value. Would like to set the correct time zone based on the hostname starting with "CA" or "KC". I have the timezone settings to add to the props.conf just can't seem to figure out how to do this based on the host name.

How can I do that in my props.conf?? dataset is the same format, so was hoping to do this in the single props.conf file.

if host=CA* then TZ=America/Chicago
if host=KC* then TZ=America/Los_Angeles

current PROPS.CONF

[sourcetype_name]
SHOULD_LINEMERGE=true
LINE_BREAKER=([\r\n]+)
NO_BINARY_CHECK=true
CHARSET=UTF-8
disabled=false
TIME_FORMAT=%Y-%m-%d %H:%M:%S.%Q

Re: How to set time zone dynamically based on host name?

DavidHourani — Mon, 23 Sep 2019 17:09:26 GMT

Hi @joesrepsolc,

You can do this by including stanzas based on the host instead of sourcetype only. It should look something like that in your props.conf :

[host::CA*]
TZ = America/Chicago

[host::KC*]
TZ = America/Los_Angeles

Let me know how that works out for you.

You can see some more example here:
https://docs.splunk.com/Documentation/Splunk/7.3.1/Admin/Propsconf#props.conf.example

Cheers,
David

Re: How to set time zone dynamically based on host name?

joesrepsolc — Mon, 23 Sep 2019 20:33:17 GMT

I just put all those into a single props.conf and it WORKS. Awesome.

So the incoming data will hit the 1st stanza (sourcetype) and process through that, and also hit the matching hostname stanza, and process through that as well. I was under the initial impression that it only matched 1 stanza, and that's where I was stuck.

Thank You.

Re: How to set time zone dynamically based on host name?

DavidHourani — Tue, 24 Sep 2019 03:46:31 GMT

Awesome @joesrepsolc, glad to see that it worked for you !

Re: How to set time zone dynamically based on host name?

pretzel2 — Tue, 15 Sep 2020 15:47:44 GMT

Hello, We have a similar but slightly different situation.

Will implementing the host:: stanza impact ALL sourcetypes from the host caught by the filter?

We have for example IIS logs which are in UTC and then application logs based on datacenter timezones, CSTCDT or ESTEDT. We tried host:: based on hostname/datacenter/location. But now our IIS logs are coming in, in the future. Any suggestions?

Re: How to set time zone dynamically based on host name?

pretzel2 — Wed, 16 Sep 2020 18:35:57 GMT

We found a solution that worked in our case.

We have windows servers in two different data centers, in different time zones. The application log files in each are using the local time zone for the timestamp. We were going to switch based on hostname BUT that introduced problems where log file like IIS which are in UTC, everywhere.

We found in the documentation for props.conf that if TZ for a sourcetype stanza is NOT specified, it will default (use) the servers local time stamp. That worked for us.

TZ = <timezone identifier>
* The algorithm for determining the time zone for a particular event is as
  follows:
  * If the event has a timezone in its raw text (for example, UTC, -08:00),
  use that.
  * If TZ is set to a valid timezone string, use that.
  * If the event was forwarded, and the forwarder-indexer connection uses
  the version 6.0 and higher forwarding protocol, use the timezone provided
  by the forwarder.
  * Otherwise, use the timezone of the system that is running splunkd.
* Default: empty string

Re: How to set time zone dynamically based on host name?

nbr — Mon, 15 Mar 2021 15:38:06 GMT

Hello joesrepsolc,

Can you tell me how you have given the stanza for a particular host? Like below?

[sourcetype_name]
SHOULD_LINEMERGE=true
LINE_BREAKER=([\r\n]+)
NO_BINARY_CHECK=true
CHARSET=UTF-8
disabled=false
TIME_FORMAT=%Y-%m-%d %H:%M:%S.%Q

[hostname]
SHOULD_LINEMERGE=true
LINE_BREAKER=([\r\n]+)
NO_BINARY_CHECK=true
CHARSET=UTF-8
disabled=false
TIME_FORMAT=%Y-%m-%d %H:%M:%S.%Q
TZ=timezone*

Re: How to set time zone dynamically based on host name?

scelikok — Mon, 15 Mar 2021 17:15:02 GMT

Hi @nbr,

You should write host based stanza like below;

[host::hostname] SHOULD_LINEMERGE=true LINE_BREAKER=([\r\n]+) NO_BINARY_CHECK=true CHARSET=UTF-8 disabled=false TIME_FORMAT=%Y-%m-%d %H:%M:%S.%Q TZ=timezone*

Re: How to set time zone dynamically based on host name?

nbr — Tue, 16 Mar 2021 08:36:00 GMT

Hello @scelikok

I have given,

[host::hostname]
SHOULD_LINEMERGE = true
LINE_BREAKER = ([\r\n]+)
MAX_TIMESTAMP_LOOKAHEAD = 128
NO_BINARY_CHECK = true
CHARSET = UTF-8
disabled = false
TIME_FORMAT = %Y-%m-%d %H:%M:%S.%Q
TZ = Asia/Dubai

But the logs from that particular host is getting indexed in UTC timings. The server time zone has been set to UTC and that cannot be changed. Is there anything we can do from Splunk end?

I already been tried to point the time zone to datetime.xml file in the HF, but no luck.

Re: How to set time zone dynamically based on host name?

Arokiaraj1991 — Thu, 08 Aug 2024 00:07:07 GMT

Hi @DavidHourani ,

I have a similar kind of requirement, but I have the hostnames coming in as IPs.

There are too many IPs and difficult to add everything one by one and also, there is a possibility some new IPs also come in at later point.

Can I try something like [host::10.24.*] ?

I tried it and seems not working. If it is not possible to use wildcard with IP for host based settings, what else would you suggest?

Thanks,

Re: How to set time zone dynamically based on host name?

DavidHourani — Thu, 08 Aug 2024 06:03:49 GMT

Hi there,

It should work with IP addresses, if your data is going through an HF before reaching an indexer then the config should be applied on the HF.

Let me know if it works for you!

Cheers,

David