All Apps and Add-ons

DB connect inputs data timestamp is in EST but splunk is recording it in UTC ( splunk servers are in UTC)

isha_rastogi
Path Finder

We have DB connect installed in Heavy weight forwarder which are in UTC timezone and the db input have TIMEStAMP field in EST. WE are using that Db field as Timestamp but it's always indexing in UTC instead of EST.
I've tried to put below setting sin Indexers and HWF in custom_app/local but no success. I've tried to put same configs in dbconnect app/local/props.conf. Any suggestions where to put the configs
[db_test]
TZ = America/New_York

0 Karma
1 Solution

isha_rastogi
Path Finder

I've changed the EST time to UTC again in Oracle query, and now splunk is indexing correct time.

View solution in original post

0 Karma

sylim_splunk
Splunk Employee
Splunk Employee

DB Connect 3.1+ versions no longer use TZ parameter in props.conf, instead new configuration timezone in db_connections.conf (Edit connection > Settings ) to recognise the timestamp in events from database.
To confirm if it detects timestamp correctly check the field "_time" instead of time in the event.
How it present the timestamp is described in the link below;
http://docs.splunk.com/Documentation/DBX/3.1.3/DeployDBX/Createandmanagedatabaseconnections

0 Karma

isha_rastogi
Path Finder

I've changed the EST time to UTC again in Oracle query, and now splunk is indexing correct time.

0 Karma

rsanders30
Path Finder

Can you please elaborate? I am having the same issue. I have researched throughout Splunkbase, and I haven't had any success by adding the line to JVM options or modified the db_connections.conf file.

Appreciate it.

0 Karma

isha_rastogi
Path Finder

I've changed the Oracle query and it the db query have to convert the EST time to UTC.

0 Karma

gjanders
SplunkTrust
SplunkTrust

While I can only see this fix documented in the 3.1.x DB connect versions and newer it did resolve my particular issue.

In the documentation for creating a database connection in DB connect 3.1.1 there is now a "Timezone" setting in which you can control the timezone used by the database connection.
In my case I removed the JVM timezone setting from Configuration -> Settings -> JVM options (user.timezone), which was set to UTC, after removing that all connections from the DB connect app started using the AEST timezone that the OS uses by default.

For the database connections where the database uses UTC time I can now use the timezone setting in the above section of the DB connect app to override the required timezone.

Only the above settings appear to change the time data parsed by Splunk for the DB connect application, so I assume the application is doing something different compared to say reading data in from a log file as the props.conf timezone settings do not apply.

gjanders
SplunkTrust
SplunkTrust

I've logged a case on this because I'm having the exact same issue with Australian time zones, so the timestamp comes in with the correct time and the Splunk _time ends up 11 hours in the future...

I also tried adjusting the TZ= settings in props.conf to various different values but the DB connect appears to act differently to the standard way of ingesting data when it comes to timezone properties...

DB connect version 3.1.1

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...