Getting Data In

2 Different Timezones being interpreted with the same IIS log file


As with many folks, my IIS logs are setup to run with GMT timestamps. I have setup "TZ=GMT" on the sourcetype setup for my IIS logs, set in the indexer under props.conf.

I have multiple IIS servers using the same source type. For most of my servers, all is well and I see that Splunk is converting the timezone to my local timezone (Pacific) based on my settings. However, there are a few servers that I see Splunk is interpretting 2 different timezones, see below:

7:35:55.000 AM

2019-10-21 07:35:55 GET /api/..snip.. - 80 - - - 200 0 0 6
host = V-WEB-PA-2-P **source = C:\inetpub\logs\logfiles\W3SVC22\u_ex191021.log
* sourcetype = ms:iis:default*

7:35:54.000 AM

*2019-10-21 14:35:54 POST /api/..snip.. - 80 - - - 200 0 0 2

host = V-WEB-PA-2-P source = C:\inetpub\logs\logfiles\W3SVC22\u_ex191021.log sourcetype = ms:iis:default*

Splunk is interpreting log entries with "7:35:xx" and 14:35:xx" as both IIS logs that have happened at 7:35:xx Localtime. The correct and expected interpretation is only log entries with "14:35:xx" should be interpreted that way.

You will notice that the same file is being used to make the two interpretations.

Can anyone please point me in the direction of where I may have mis-configured Splunk, or why this is happening?

Thank you.

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!