Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Defining time zone (TZ) value for Manual Host Extraction for syslog input

akshatj2
Path Finder
‎09-14-2018 03:15 PM

HI All,

I have created an inputs stanza for syslog input and created a manual host override using transforms. I tried to change the TZ value per host but it is not working. However, it works fine, if used per source type.
Kindly suggest how to fix

Inputs.conf 

  [tcp://<port>]
    sourcetype = <custom_sourcetype>

Props.conf 

 [host::ABC]
    TZ = UTC
    [host::DEF]
    TZ = Europe/London
0 Karma
Reply

itradeclayton
Path Finder
‎08-25-2019 09:26 AM

Did you ever figure this out? It's driving me crazy. I can't change all my "syslog" sourcetypes to the same timezone. I need to change by host or source etc.

0 Karma
Reply

akshatj2
Path Finder
‎08-25-2019 10:07 AM

Could you tell me where are you trying to define the TZ value

i would assume you have a heavy forwarder in place which is used to receive messages from syslog.

If yes you can try to set TZ value in your HF it should work. Also, make sure that splunk is taking time from the logs by setting appropriate Time Prefix and Time Format.

If still does not work can you give me more details so I can try to help you.

0 Karma
Reply

itradeclayton
Path Finder
‎08-25-2019 10:15 AM

I eventually figured it out... it just always seems to take some fiddling... the syntax for this doesn't always match what you can do in inputs.conf it seems. Thanks!

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...