topic Re: Where to apply a time offset props when using a heavy forwarder in Splunk Search

Where to apply a time offset props when using a heavy forwarder

Runals — Fri, 22 Mar 2013 13:01:45 GMT

I currently have a firewall whose time is set to GMT sending data into Splunk via a heavy forwarder. Since timestamps are extracted at the heavy forwarder (correct?) I deployed the props.conf to just there. My concern was if I put the props at both the HF and the indexers it would do the time diff type operation twice. However, when I look at those logs I see them in the future so to speak.

Of course as I write this I'm wondering if ultimately the indexers/heavy forwarders couldn't care less about the offset given they store the data in a 'native' format and this should be applied to the search heads.

Re: Where to apply a time offset props when using a heavy forwarder

yannK — Fri, 22 Mar 2013 15:31:01 GMT

=> your condiguration seems correct.

The events and timestamp are parsed only once
This will happen on the HF, then the parsed events will be forwarded to the indexer, and it will write then directly to the buckets in the disk without parsing them a second time.

However, if you expected to setup any filtering/parsing/nullQueue routing on the indexer, it will not apply on the data from the HF.

Re: Where to apply a time offset props when using a heavy forwarder

Runals — Fri, 22 Mar 2013 15:38:57 GMT

The problem is it isn't working =). To find the most recent events I have to set the time selector to the future