How do I make sure that my events will always be indexed with the right timezone when using an INGEST_EVAL?

andrewtrobec — Tue, 27 Oct 2020 10:17:53 GMT

Hello, I am looking for some clarifications when using an INGEST_EVAL to set a timezone during index time.

The timezone I am working with is Romania which is +0200 or EET standard time and +0300 or EEST daylight savings time. No Romanian cities are available in the Splunk timezone list so I am using Beirut which according to this page is on the same timezone year round as Romania.

Now for my data I am indexing using an INGEST_EVAL which takes the timestamp from the source where each filename has the following format and reflects local Romanian time:

this_is_my_file_2020_10_27_10_55_53.csv

Since there is no timezone specified in the filename and since the Splunk system time is set to UTC I need to append the timezone using the INGEST_EVAL:

INGEST_EVAL = _time=strptime(replace(source,".*(?=/)/","")."EET","this_is_my_file_%Y_%m_%d_%H_%M_%S.csv%Z")

Now for my concern. Since I have hardcoded "EET" in the INGEST_EVAL, will this skew the files that are ingested during the daylight savings period? In other words, if a filename comes in during EEST, so 2020-10-01 for example, will Splunk understand not to use "EET" and use "EEST" instead even though it is not specified in the INGEST_EVAL?

To conclude, I hate timezones 🙂

Any input would be greatly appreciated.

Thank you and best regards,

Andrew

topic How do I make sure that my events will always be indexed with the right timezone when using an INGEST_EVAL? in Getting Data In

How do I make sure that my events will always be indexed with the right timezone when using an INGEST_EVAL?