topic Re: timezone issue in Getting Data In

timezone issue

ofeefee — Mon, 04 Mar 2013 03:07:40 GMT

how come if I set the timezone to CST, logs sent with UTC timestamp doesn't get put in CST, they appear to stay as UTC, but then logs without a timestamp get tagged CST. So then I have some logs in CST, some in UTC, so when trying to correlate these, it's a mess! I figured if it was all CST, it would keep them all as Central time, and convert the times.

Re: timezone issue

aholzer — Mon, 04 Mar 2013 15:26:09 GMT

I am assuming you mean setting the timezone in the props.conf, as so:

[YourSourcetype]
...
TZ=YourTimezone

If this is the case, then the timezone you want to specify here is the timezone of the events being written to those logs that are being tagged with "YourSourcetype". Example: logInEST.log is being generated on an EST server, monitored by a forwarder and tagged as ESTST (EST SourceType). The props.conf on the indexer, which is a London based server, should be something like this:

[ESTST]
...
TZ=US/Eastern

So when you run a search that captures ESTST, it will convert everything from the US/Eastern to the local time of the indexer.

Re: timezone issue

ofeefee — Mon, 04 Mar 2013 22:17:24 GMT

i think this is one of those restrictions that splunkstorm has. if you have data coming in from different timezones you have to put them in seperate projects. Problem is hafl the data is tagged with the timezone data, the other has no timezone data, so it's getting split. I solved it by setting Splunkstorm to UTC, and it's all syncing up now. I just have to do the time shift mentally, not too difficult after this many years.