Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Can we apply multiple time settings via props for same feed

MKozanic
Path Finder
‎07-05-2021 05:45 PM

Hi All,

Have seen a few options for the issue I have, but wanted to know if Splunk can handle applying multiple props.conf settings to a specific feed.

ISSUE: 
We have a sourcetype coming in that needs to have date format set - this part is easy.  Complication is that feed is coming from servers in different timezones as well.

PROPOSED SOLUTION: 
Wondering if I can have props stanza for sourcetype to configure date format but also a secondary stanza for hosts to define timezone.

Something like:

[broken_sourcetype]
MAX_TIMESTAMP_LOOKAHEAD = 27
TIME_FORMAT = %Y-%m-%d %H:%M:%S,%3N
TIME_PREFIX = ^

[host::UShost*]
TZ = America/New_York
 
[host::AUShost*]
TZ = Australia/Sydney
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎07-09-2021 06:06 AM

It's true the documentation does not say "put this setting on your UF", but it does say the setting on the forwarder will be used if the time zone is not found in the data or in the indexer's settings.

To find out what props the UF uses, search props.conf.spec for "input time".

---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎07-06-2021 05:52 AM

If the data is coming from Universal Forwarders on each host then add the TZ setting to the broken_sourcetype stanza in the props.conf file on each UF.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

MKozanic
Path Finder
‎07-06-2021 02:46 PM

Thanks @richgalloway , 

I wasn't sure if this would work as I couldn't find anything to say this would get picked up at the UF level, in fact most things I read suggested otherwise.

From what I read, UF processes very little from Props / Transforms - do you know if there is any documentation that outlines what works at UF level and what needs to be done at HF / IDX?

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎07-06-2021 05:03 PM

It's a fairly well-known feature, but not well publicized.  See https://docs.splunk.com/Documentation/Splunk/latest/Admin/PropsConf#:~:text=TZ%20

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

MKozanic
Path Finder
‎07-08-2021 06:01 PM

This doesn't really specify whether this can be run from UF.  Most things I have read indicate that parsing on UF is limited to structured formats like csv and event line splitting.

Given your knowledge, I'm happy to trust that you know what you are talking about, but it would be nice to have some supporting documentation that outlines exactly what can be done at UF and what needs to be done on HF / IDX.

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎07-09-2021 06:06 AM

It's true the documentation does not say "put this setting on your UF", but it does say the setting on the forwarder will be used if the time zone is not found in the data or in the indexer's settings.

To find out what props the UF uses, search props.conf.spec for "input time".

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...

Alerting Best Practices: How to Create Good Detectors

At their best, detectors and the alerts they trigger notify teams when applications aren’t performing as ...

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...

Hey Splunky people! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2408. In this ...