Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Are Windows Eventlogs from windows forwarder lacking timezone

gfriedmann
Communicator
‎12-09-2010 10:56 PM

I'm trying to get a configuration going with light forwarders on many windows servers in different timezones.

It appears that a windows light forwarder does not include timezone info with the WinEvenLog input sources.

Has anyone succeeded in sorting out windows eventlog timestamps in such a configuration? Am i crazy and am missing a simple fix? I really don't want to declare the timezone in props.conf for each windows host individually.

Reply
1 Solution
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎12-10-2010 07:13 AM

You are correct. This is a bad flaw in the Splunk Windows input processors. I am surprised I do not see more about this here on answers.splunk.com. Another related flaw is the use of two-digit years, but whatever.

Please file an enhancement request on this. Unfortunately I don't have a solution for you other than to either configure the timezone on the indexers, or to start the Splunk process under the same time zone as the indexers. Neither is a good solution. Another way to fix this would be for the Splunk forwarders to be able to pass the timezone of an input down in the metadata (the way it can pass host, sourcetype, source, index, etc.) But this is also currently impossible.

View solution in original post

Reply
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎12-10-2010 07:13 AM

You are correct. This is a bad flaw in the Splunk Windows input processors. I am surprised I do not see more about this here on answers.splunk.com. Another related flaw is the use of two-digit years, but whatever.

Please file an enhancement request on this. Unfortunately I don't have a solution for you other than to either configure the timezone on the indexers, or to start the Splunk process under the same time zone as the indexers. Neither is a good solution. Another way to fix this would be for the Splunk forwarders to be able to pass the timezone of an input down in the metadata (the way it can pass host, sourcetype, source, index, etc.) But this is also currently impossible.

Reply
Solved! Jump to solution

gfriedmann
Communicator
‎12-10-2010 07:21 PM

Thank you for the confirmation. Maybe managing each non-standard timezone host individually in props.conf isn't the end of the world. I guess i might later run into problems if i collect other logs flatfile inputs that are in UTC on that host but without a timezone. Enhancement request is filed. 🙂

0 Karma
Reply
Solved! Jump to solution

gfriedmann
Communicator
‎12-09-2010 11:54 PM

Additional info: playing with splunkd light forwarder on windows, i see that it sends rawdata with a timestamp reflecting whatever timezone the server was in when splunkd started. For example, changing the server timezone will not immediately change the timestamps logged by splunk.

Maybe it has something to do with the API splunk uses to get Eventlog data. It'd be nice if it included timezone in the forwarded message, though.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...