topic Setting Timezone based on hostname extracted with regex in Getting Data In

Setting Timezone based on hostname extracted with regex

Krishna_R — Wed, 15 Sep 2010 22:31:37 GMT

I have to upload data from different sources (collected manually) and upload to a splunk indexer. The files are copied to the server with corresponding details & timezone (such as US_Pacific etc) in the path.

'host' field is extracted thru host_regex in my inputs.conf file, and part of it is the timezone. e.g. hostname could abc\tz_US_Pacific or xyz\tz_US_Eastern. (the abc and xyz relate to some other fields).

I'm trying to set the TZ using the props.conf as follows:

[host::*tz_US_Pacific] TZ = US/Pacific

[mysourcetype] EXTRACT-...

The Timezone offset is never applied (I have more hosts with Eastern time etc.) and all the logs are indexed with TZ as the local timezone for the Splunk server (which is IST).

Am I missing something here? Do I have to change the order of setting Timezone?

Re: Setting Timezone based on hostname extracted with regex

hulahoop — Wed, 15 Sep 2010 23:03:07 GMT

Unfortunately it is not possible to configure a host extraction then a timezone based on the host extraction. A suggested workaround is to change the logging convention to write the files to directories by host then apply timezone settings by source.

There is a similar discussion with additional details here: How to Set Timezone in an Advanced Configuration?

Re: Setting Timezone based on hostname extracted with regex

Krishna_R — Mon, 28 Sep 2020 09:17:43 GMT

Thanks for the quick response. Do you mean to use the source path to set the TZ offset?
I already extract the sourcetype from another part of the path (the path is quite long thanks to all the metadata fields in the path).
So, I already have
[source::...\mysourcetype\...?]
sourcetype = mysourcetype
as a stanza in props.conf. If I add one more as below, would both of them be applied for the same source file or only one of them?
[source::...\tz_US_Pacific\...]
TZ = US/Pacific

Re: Setting Timezone based on hostname extracted with regex

Krishna_R — Fri, 17 Sep 2010 00:02:55 GMT

I was able to accomplish it by using the source field.. Using 2 different stanzas, 1 for sourcetype and another for TZ works fine.
Thanks!

Re: Setting Timezone based on hostname extracted with regex

hulahoop — Fri, 17 Sep 2010 00:37:12 GMT

Awesome, glad it worked out. I wish we could just make it possible to set TZ on extracted sourcetypes. 🙂

Re: Setting Timezone based on hostname extracted with regex

Krishna_R — Sun, 10 Oct 2010 14:30:25 GMT

Agreed 100%.. I'm adding many stanzas each for different TZ...

Re: Setting Timezone based on hostname extracted with regex

BP9906 — Fri, 30 May 2014 17:49:47 GMT

This was my exact issue, I had rsyslog feeding 1 log from many servers. I changed rsyslog.conf to be:
$template DynaFile,"/var/log/file-%programname%.log"
local3.* -?DynaFile

I was then able to create source type stanzas to use TZ= for timezone and host field renaming via transforms.

Thank you!