Archive

Splunk Time stamp modification

Path Finder

Hi Team,

We are in splunk 6.5.

Our forwarder machines are having Brasilia Time zone and our indexer is on UTC time zone.

I have tried updating the below entry on Props.conf file on my forwarders machine.

[test]
SHOULDLINEMERGE=false
TIME
FORMAT=%Y-%m-%d %H:%M:%S,%f
TIMEPREFIX=^
TZ=America/Sao
Paulo
MAXTIMESTAMPLOOKAHEAD=25

Still I can see the indexed events are in UTC time zone in GUI. Please help me here on this issue.

Regards,
Abilan

Tags (1)
0 Karma

Esteemed Legend

We need to see a sample event and your inputs.conf. It would be nice to see transforms.conf, too.

0 Karma

Builder

I had the very same issue not so long ago, and the resolution was that the props.conf on the INDEXER needed to have the stanza added, not on the forwarder.

0 Karma

Builder

Which also required that I go to this page on the indexer or restart the indexer service.

https://MYINDERXERURL:PORT/en-US/debug/refresh

0 Karma

Splunk Employee
Splunk Employee

good call, dont forget restart! Abilan

0 Karma

Splunk Employee
Splunk Employee

./splunk btool props list test --debug need the sourcetype on the forwarder and indexer.

EDIT : updated command to reflect different soucretype. as you have it called test now...other thread is sched

0 Karma

Path Finder

Hi ,

Thanks again for your help.

I have executed the query on my forwarder. Please find the output below. sourcetype is empty here.

/u01/SplunkCloud/splunkforwarder/etc/apps/search/default/props.conf [scheduler]
/u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf ANNOTATEPUNCT = True
/u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf AUTO
KVJSON = true
/u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf BREAK
ONLYBEFORE =
/u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf BREAK
ONLYBEFOREDATE = True
/u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf CHARSET = UTF-8
/u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf DATETIMECONFIG = /etc/datetime.xml
/u01/SplunkCloud/splunkforwarder/etc/apps/search/default/props.conf EXTRACT-fields = (?i)^(?:[^ ]* ){2}(?:[+-]\d+ )?(?P[^ ]*)\s+(?P[^ ]+) - (?P.+)
/u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf HEADER
MODE =
/u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf LEARNMODEL = true
/u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf LEARN
SOURCETYPE = true
/u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf LINEBREAKERLOOKBEHIND = 100
/u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf MAXDAYSAGO = 2000
/u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf MAXDAYSHENCE = 2
/u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf MAXDIFFSECSAGO = 3600
/u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf MAX
DIFFSECSHENCE = 604800
/u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf MAXEVENTS = 256
/u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf MAX
TIMESTAMPLOOKAHEAD = 128
/u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf MUST
BREAKAFTER =
/u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf MUST
NOTBREAKAFTER =
/u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf MUSTNOTBREAKBEFORE =
/u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf SEGMENTATION = indexing
/u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf SEGMENTATION-all = full
/u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf SEGMENTATION-inner = inner
/u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf SEGMENTATION-outer = outer
/u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf SEGMENTATION-raw = none
/u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf SEGMENTATION-standard = standard
/u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf SHOULD
LINEMERGE = True
/u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf TRANSFORMS =
/u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf TRUNCATE = 10000
/u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf detecttrailingnulls = false
/u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf maxDist = 100
/u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf priority =
/u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf sourcetype =

0 Karma

Path Finder

Hi ,

correct name is sched. Just for example I have given it as test.

0 Karma