We are upgrading our Cisco devices to the new ASA Firepower devices and apparently these will only output logs in UTC. Fine. I added the following stanza to all the appropriate props.conf files and Splunk is still not converting them correctly at search time:
TZ = UTC
Am I missing something?
The priority of timezone is :
highest = timezone in the event
medium = timezone in the sourcetype (props.conf on the indexers or first parsing instance like an heavy forwarder)
lowest = timezone of the server parsing the events (indexer or first heavy forwarder)
with the exception of structured events (json/csv/xml, that may be parsed on the forwarder)
Thanks. The timezone is NOT listed in the log entries. And once it didn't work for me the first time, I made sure to apply it everywhere just in case. It's set within the Cisco ASA app and under System/Local on both the Forwarder and Indexers.
I'm doing some other work on the servers tonight so they will all be restarted. Maybe an app didn't get pushed out properly. I will check again tomorrow, but this should be working.
Another remark : what is the original sourcetype of the events, is the TZ in props.conf for this sourcetype ?
The timestamp and timezone are usually applied on the first pass, this means that if you have transforms to change the sourcetype later, and the TZ is specified for the new sourcetype, they may not apply.
Well, after a restart of my syslog server last night, the changes took. I thought I had restarted the Splunk service after the change to that props.conf file, but apparently I didn't. Thanks for the sanity check.