Solved: Re: DB connect inputs data timestamp is in EST but...

isha_rastogi · ‎11-13-2017

We have DB connect installed in Heavy weight forwarder which are in UTC timezone and the db input have TIMEStAMP field in EST. WE are using that Db field as Timestamp but it's always indexing in UTC instead of EST.
I've tried to put below setting sin Indexers and HWF in custom_app/local but no success. I've tried to put same configs in dbconnect app/local/props.conf. Any suggestions where to put the configs
[db_test]
TZ = America/New_York

isha_rastogi · ‎11-15-2017

I've changed the EST time to UTC again in Oracle query, and now splunk is indexing correct time.

View solution in original post

sylim_splunk · ‎07-27-2018

DB Connect 3.1+ versions no longer use TZ parameter in props.conf, instead new configuration timezone in db_connections.conf (Edit connection > Settings ) to recognise the timestamp in events from database.
To confirm if it detects timestamp correctly check the field "_time" instead of time in the event.
How it present the timestamp is described in the link below;
http://docs.splunk.com/Documentation/DBX/3.1.3/DeployDBX/Createandmanagedatabaseconnections

isha_rastogi · ‎11-15-2017

I've changed the EST time to UTC again in Oracle query, and now splunk is indexing correct time.

rsanders30 · ‎01-18-2018

Can you please elaborate? I am having the same issue. I have researched throughout Splunkbase, and I haven't had any success by adding the line to JVM options or modified the db_connections.conf file.

Appreciate it.

isha_rastogi · ‎01-29-2018

I've changed the Oracle query and it the db query have to convert the EST time to UTC.

gjanders · ‎11-14-2017

While I can only see this fix documented in the 3.1.x DB connect versions and newer it did resolve my particular issue.

In the documentation for creating a database connection in DB connect 3.1.1 there is now a "Timezone" setting in which you can control the timezone used by the database connection.
In my case I removed the JVM timezone setting from Configuration -> Settings -> JVM options (user.timezone), which was set to UTC, after removing that all connections from the DB connect app started using the AEST timezone that the OS uses by default.

For the database connections where the database uses UTC time I can now use the timezone setting in the above section of the DB connect app to override the required timezone.

Only the above settings appear to change the time data parsed by Splunk for the DB connect application, so I assume the application is doing something different compared to say reading data in from a log file as the props.conf timezone settings do not apply.

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud

gjanders · ‎11-13-2017

I've logged a case on this because I'm having the exact same issue with Australian time zones, so the timestamp comes in with the correct time and the Splunk _time ends up 11 hours in the future...

I also tried adjusting the TZ= settings in props.conf to various different values but the DB connect appears to act differently to the standard way of ingesting data when it comes to timezone properties...

DB connect version 3.1.1

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud

DB connect inputs data timestamp is in EST but splunk is recording it in UTC ( splunk servers are in UTC)

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation