Getting Data In

Getting the timezone from the operating system for a universal forwarder

TONYBYERS
Path Finder

Some log events do not have timezone information in it so I need to set the timezone in the props.conf on the forwarder. This works fine however we have many universal forwarders in multiple timezone and it would be useful to have one standard build. Is it possible to get the forwarder to get the timezone information from the underlying OS?

lguinn2
Legend

As of version 6, Splunk forwarders provide the local OS timezone as the default. If the data (the log file or whatever) does not specify a timezone, the local OS timezone will be used.

"If an event that arrives at an indexer originated at a forwarder, and both the forwarder and the receiving indexer run Splunk Enterprise 6.0 or later, then Splunk Enterprise uses the time zone that the forwarder provides." from the Getting Data In manual.

TONYBYERS
Path Finder

I saw that in the documentation but I don't think it works that way. If there is no timezone information in the event and nothing in the props.conf on the forwarder then there will be no timezone information sent from the forwarder. If there was then the last statement in the documentation would be redundant "Splunk Enterprise uses the time zone of the server that indexes the event. ". Or I am misreading the documentation?

Thanks

lguinn2
Legend

I assure that it works that way. As of Splunk 6.0, the data packet sent from the forwarder to the indexer always includes basic info about the forwarder itself, including the forwarder's local system timezone.

You are misreading the documentation. "Splunk Enterprise uses the time zone of the server that indexes the event." means that, if all else fails, Splunk will use the indexer's timezone.

It is very common for Splunk forwarders to be versions behind the indexers. So if you have a 5.x forwarder, you can certainly forward to a 6.x indexer. In that case, there will be no forwarder local system time - and the default timezone will be the timezone of the indexer. If you have a 6.x forwarder, the default will be the timezone of the forwarder.

0 Karma

TONYBYERS
Path Finder

I am getting very odd behaviour here and it is more complex that I originally thought. What I am going to do is open a case with Splunk support - even though I believe you work for Splunk, I need this tracked. Thanks for reaching out to me and trying to fix it. Tony

0 Karma

lguinn2
Legend

Absolutely open a case with Support - that's the right thing to do when stuff doesn't seem to work as it should!

0 Karma

TONYBYERS
Path Finder

Thanks once again for your help - the problem turned out to be user error - in other words, I hadn't read the documentation correctly and had misconfigured props.conf

0 Karma

aljohnson_splun
Splunk Employee
Splunk Employee

You may want to look at how timestamp assignment works.

0 Karma

TONYBYERS
Path Finder

Thanks. I was hoping the that I could get the timezone information from the OS so I do not have to have a specific build for each timezone

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...