Archive

Splunk Time stamp modification

Path Finder

Hi Team,

We are in splunk 6.5.

Our forwarder machines are having Brasilia Time zone and our indexer is on UTC time zone.

I have tried updating the below entry on Props.conf file on my forwarders machine.

[test]
SHOULD_LINEMERGE=false
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%f
TIME_PREFIX=^
TZ=America/Sao_Paulo
MAX_TIMESTAMP_LOOKAHEAD=25

Still I can see the indexed events are in UTC time zone in GUI. Please help me here on this issue.

Regards,
Abilan

Tags (1)
0 Karma

Esteemed Legend

We need to see a sample event and your inputs.conf. It would be nice to see transforms.conf, too.

0 Karma

Builder

I had the very same issue not so long ago, and the resolution was that the props.conf on the INDEXER needed to have the stanza added, not on the forwarder.

0 Karma

Builder

Which also required that I go to this page on the indexer or restart the indexer service.

https://MYINDERXERURL:PORT/en-US/debug/refresh

0 Karma

Splunk Employee
Splunk Employee

good call, dont forget restart! Abilan

0 Karma

Splunk Employee
Splunk Employee

./splunk btool props list test --debug need the sourcetype on the forwarder and indexer.

EDIT : updated command to reflect different soucretype. as you have it called test now...other thread is sched

0 Karma

Path Finder

Hi ,

Thanks again for your help.

I have executed the query on my forwarder. Please find the output below. sourcetype is empty here.

/u01/SplunkCloud/splunkforwarder/etc/apps/search/default/props.conf [scheduler]
/u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf ANNOTATE_PUNCT = True
/u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf AUTO_KV_JSON = true
/u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf BREAK_ONLY_BEFORE =
/u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf BREAK_ONLY_BEFORE_DATE = True
/u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf CHARSET = UTF-8
/u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf DATETIME_CONFIG = /etc/datetime.xml
/u01/SplunkCloud/splunkforwarder/etc/apps/search/default/props.conf EXTRACT-fields = (?i)^(?:[^ ]* ){2}(?:[+-]\d+ )?(?P[^ ]*)\s+(?P[^ ]+) - (?P.+)
/u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf HEADER_MODE =
/u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf LEARN_MODEL = true
/u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf LEARN_SOURCETYPE = true
/u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf LINE_BREAKER_LOOKBEHIND = 100
/u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf MAX_DAYS_AGO = 2000
/u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf MAX_DAYS_HENCE = 2
/u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf MAX_DIFF_SECS_AGO = 3600
/u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf MAX_DIFF_SECS_HENCE = 604800
/u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf MAX_EVENTS = 256
/u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf MAX_TIMESTAMP_LOOKAHEAD = 128
/u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf MUST_BREAK_AFTER =
/u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf MUST_NOT_BREAK_AFTER =
/u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf MUST_NOT_BREAK_BEFORE =
/u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf SEGMENTATION = indexing
/u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf SEGMENTATION-all = full
/u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf SEGMENTATION-inner = inner
/u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf SEGMENTATION-outer = outer
/u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf SEGMENTATION-raw = none
/u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf SEGMENTATION-standard = standard
/u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf SHOULD_LINEMERGE = True
/u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf TRANSFORMS =
/u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf TRUNCATE = 10000
/u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf detect_trailing_nulls = false
/u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf maxDist = 100
/u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf priority =
/u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf sourcetype =

0 Karma

Path Finder

Hi ,

correct name is sched. Just for example I have given it as test.

0 Karma