Are you a member of the Splunk Community?
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- How and where does splunk determine host time zone...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
My indexers and searchheads in my central datacentre are configured in UTC timestamp but I have universal/light forwarders around the world in many different time zones.
I know the hosts my forwarders are installed on have correct time zone settings. So I'd like to use the host timezone (point number 3 in this document) rather than override it but I can't get it right.
Hence my 2 questions :
* How does splunk determine the splunk server time zone (if running on linux)?
* Where is the time zone evaluated : in my case, if it's at the indexer level, it won't help...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here are the rules: How Splunk applies timezones - I think this is exactly the page that you are referencing.
If you want to override the default processing, you must set the TZ attribute on the machine that is doing the parsing. that would mean that - on each indexer - you would need an entry in props.conf for each forwarder:
[host::forwarderhostname1]
TZ = forwardertimezone1
There is no alternative. This is a perfect enhancement request! Do it here: Submit Case
My request would be "I want to be able to set something like this in props.conf:
[host::*]
TZ = use_host_tz
So that the indexer would use the forwarder's server timezone setting"
But that's just what I asked for...
UPDATE: Splunk 6 - *WISH GRANTED!*
Specify time zones of time stamps
Note item # 3 - "If an event that arrives at an indexer originated at a forwarder, and both the forwarder and the receiving indexer run Splunk Enterprise 6.0 or later, then Splunk uses the time zone that the forwarder provides."
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here are the rules: How Splunk applies timezones - I think this is exactly the page that you are referencing.
If you want to override the default processing, you must set the TZ attribute on the machine that is doing the parsing. that would mean that - on each indexer - you would need an entry in props.conf for each forwarder:
[host::forwarderhostname1]
TZ = forwardertimezone1
There is no alternative. This is a perfect enhancement request! Do it here: Submit Case
My request would be "I want to be able to set something like this in props.conf:
[host::*]
TZ = use_host_tz
So that the indexer would use the forwarder's server timezone setting"
But that's just what I asked for...
UPDATE: Splunk 6 - *WISH GRANTED!*
Specify time zones of time stamps
Note item # 3 - "If an event that arrives at an indexer originated at a forwarder, and both the forwarder and the receiving indexer run Splunk Enterprise 6.0 or later, then Splunk uses the time zone that the forwarder provides."
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks ! Indeed Splunk 6 update should fix this problem.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Well, this would be a workaround but what I need is to have splunk rely on the universal forwarders servers timezone - it's already correctly set so I wouldn't like to force it to some specific timezone (and in addition it's different for each forwarder). It's a pitty you can't set timezone at input time.
Introduction to Splunk AI
Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...
Maximizing the Value of Splunk ES 8.x
