All Apps and Add-ons

How do I modify timezone settings in props.conf?

oagtexas
Explorer

All,

We are upgrading our Cisco devices to the new ASA Firepower devices and apparently these will only output logs in UTC. Fine. I added the following stanza to all the appropriate props.conf files and Splunk is still not converting them correctly at search time:

[host::x.x.x.x]
TZ = UTC

Am I missing something?

1 Solution

yannK
Splunk Employee
Splunk Employee

The priority of timezone is :
highest = timezone in the event
medium = timezone in the sourcetype (props.conf on the indexers or first parsing instance like an heavy forwarder)
lowest = timezone of the server parsing the events (indexer or first heavy forwarder)
with the exception of structured events (json/csv/xml, that may be parsed on the forwarder)

  • Do the events contains a timezone in the events ?
  • and is your props.conf on the indexers or the forwarder ?

View solution in original post

yannK
Splunk Employee
Splunk Employee

The priority of timezone is :
highest = timezone in the event
medium = timezone in the sourcetype (props.conf on the indexers or first parsing instance like an heavy forwarder)
lowest = timezone of the server parsing the events (indexer or first heavy forwarder)
with the exception of structured events (json/csv/xml, that may be parsed on the forwarder)

  • Do the events contains a timezone in the events ?
  • and is your props.conf on the indexers or the forwarder ?

oagtexas
Explorer

Well, after a restart of my syslog server last night, the changes took. I thought I had restarted the Splunk service after the change to that props.conf file, but apparently I didn't. Thanks for the sanity check.

0 Karma

yannK
Splunk Employee
Splunk Employee

Great, so it was just not reloaded.
You can mark the question as answered.

0 Karma

oagtexas
Explorer

Thanks. The timezone is NOT listed in the log entries. And once it didn't work for me the first time, I made sure to apply it everywhere just in case. It's set within the Cisco ASA app and under System/Local on both the Forwarder and Indexers.

yannK
Splunk Employee
Splunk Employee

Another remark : what is the original sourcetype of the events, is the TZ in props.conf for this sourcetype ?

The timestamp and timezone are usually applied on the first pass, this means that if you have transforms to change the sourcetype later, and the TZ is specified for the new sourcetype, they may not apply.

oagtexas
Explorer

I'm doing some other work on the servers tonight so they will all be restarted. Maybe an app didn't get pushed out properly. I will check again tomorrow, but this should be working.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...