Getting Data In

Can we apply multiple time settings via props for same feed

MKozanic
Path Finder

Hi All,

Have seen a few options for the issue I have, but wanted to know if Splunk can handle applying multiple props.conf settings to a specific feed.

ISSUE: 
We have a sourcetype coming in that needs to have date format set - this part is easy.  Complication is that feed is coming from servers in different timezones as well.

PROPOSED SOLUTION: 
Wondering if I can have props stanza for sourcetype to configure date format but also a secondary stanza for hosts to define timezone.

Something like:

[broken_sourcetype]
MAX_TIMESTAMP_LOOKAHEAD = 27
TIME_FORMAT = %Y-%m-%d %H:%M:%S,%3N
TIME_PREFIX = ^

[host::UShost*]
TZ = America/New_York
 
[host::AUShost*]
TZ = Australia/Sydney
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

It's true the documentation does not say "put this setting on your UF", but it does say the setting on the forwarder will be used if the time zone is not found in the data or in the indexer's settings.

To find out what props the UF uses, search props.conf.spec for "input time".

---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma

richgalloway
SplunkTrust
SplunkTrust

If the data is coming from Universal Forwarders on each host then add the TZ setting to the broken_sourcetype stanza in the props.conf file on each UF.

---
If this reply helps you, Karma would be appreciated.
0 Karma

MKozanic
Path Finder

Thanks @richgalloway , 

I wasn't sure if this would work as I couldn't find anything to say this would get picked up at the UF level, in fact most things I read suggested otherwise.

From what I read, UF processes very little from Props / Transforms - do you know if there is any documentation that outlines what works at UF level and what needs to be done at HF / IDX?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

It's a fairly well-known feature, but not well publicized.  See https://docs.splunk.com/Documentation/Splunk/latest/Admin/PropsConf#:~:text=TZ%20

---
If this reply helps you, Karma would be appreciated.
0 Karma

MKozanic
Path Finder

This doesn't really specify whether this can be run from UF.  Most things I have read indicate that parsing on UF is limited to structured formats like csv and event line splitting.

Given your knowledge, I'm happy to trust that you know what you are talking about, but it would be nice to have some supporting documentation that outlines exactly what can be done at UF and what needs to be done on HF / IDX.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

It's true the documentation does not say "put this setting on your UF", but it does say the setting on the forwarder will be used if the time zone is not found in the data or in the indexer's settings.

To find out what props the UF uses, search props.conf.spec for "input time".

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...