All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I modify timezone settings in props.conf?

oagtexas
Explorer
‎10-12-2017 06:54 AM

All,

We are upgrading our Cisco devices to the new ASA Firepower devices and apparently these will only output logs in UTC. Fine. I added the following stanza to all the appropriate props.conf files and Splunk is still not converting them correctly at search time:

[host::x.x.x.x]
TZ = UTC

Am I missing something?

Reply
1 Solution
Solved! Jump to solution
Solution

yannK
Splunk Employee
Splunk Employee
‎10-12-2017 02:09 PM

The priority of timezone is :
highest = timezone in the event
medium = timezone in the sourcetype (props.conf on the indexers or first parsing instance like an heavy forwarder)
lowest = timezone of the server parsing the events (indexer or first heavy forwarder)
with the exception of structured events (json/csv/xml, that may be parsed on the forwarder)

  • Do the events contains a timezone in the events ?
  • and is your props.conf on the indexers or the forwarder ?

View solution in original post

Reply
Solved! Jump to solution
Solution

yannK
Splunk Employee
Splunk Employee
‎10-12-2017 02:09 PM

The priority of timezone is :
highest = timezone in the event
medium = timezone in the sourcetype (props.conf on the indexers or first parsing instance like an heavy forwarder)
lowest = timezone of the server parsing the events (indexer or first heavy forwarder)
with the exception of structured events (json/csv/xml, that may be parsed on the forwarder)

  • Do the events contains a timezone in the events ?
  • and is your props.conf on the indexers or the forwarder ?
Reply
Solved! Jump to solution

oagtexas
Explorer
‎10-13-2017 09:36 AM

Well, after a restart of my syslog server last night, the changes took. I thought I had restarted the Splunk service after the change to that props.conf file, but apparently I didn't. Thanks for the sanity check.

0 Karma
Reply
Solved! Jump to solution

yannK
Splunk Employee
Splunk Employee
‎10-16-2017 10:11 AM

Great, so it was just not reloaded.
You can mark the question as answered.

0 Karma
Reply
Solved! Jump to solution

oagtexas
Explorer
‎10-12-2017 02:15 PM

Thanks. The timezone is NOT listed in the log entries. And once it didn't work for me the first time, I made sure to apply it everywhere just in case. It's set within the Cisco ASA app and under System/Local on both the Forwarder and Indexers.

Reply
Solved! Jump to solution

yannK
Splunk Employee
Splunk Employee
‎10-12-2017 02:32 PM

Another remark : what is the original sourcetype of the events, is the TZ in props.conf for this sourcetype ?

The timestamp and timezone are usually applied on the first pass, this means that if you have transforms to change the sourcetype later, and the TZ is specified for the new sourcetype, they may not apply.

Reply
Solved! Jump to solution

oagtexas
Explorer
‎10-12-2017 02:27 PM

I'm doing some other work on the servers tonight so they will all be restarted. Maybe an app didn't get pushed out properly. I will check again tomorrow, but this should be working.

0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...