Getting Data In

How can I change the timezone of a forwarder?

LuiesCui
Communicator

Hi guys, I have a device monitored whose system time is set 8 hours earlier than the Splunk server. Every time I search the data of device I have to set the search time 8 hours earlier and some weird things happen when I search this device with the other. Since I cannot change the system time of this device, can I change the timezone by changing some configurations of the forwarder and make the _time of the data from this device the same with the Splunk server? Thanks in advance.

1 Solution

woodcock
Esteemed Legend

One of the new things in v6.0 is that having a TZ= setting inside props.conf on the forwarder will be honored and will be passed along to the indexers, provided both the forwarder and indexers are running at least v6.0. This means that all you need to do is add this to props.conf:

[yourSourcetype]
TZ = TZvalueForYourEventTimestamps

Then just bounce your forwarder's splunk instance and you will be good-to-go. Previous versions required this setting to be on props.conf on your indexers and then for the instances there to be bounced.

View solution in original post

woodcock
Esteemed Legend

One of the new things in v6.0 is that having a TZ= setting inside props.conf on the forwarder will be honored and will be passed along to the indexers, provided both the forwarder and indexers are running at least v6.0. This means that all you need to do is add this to props.conf:

[yourSourcetype]
TZ = TZvalueForYourEventTimestamps

Then just bounce your forwarder's splunk instance and you will be good-to-go. Previous versions required this setting to be on props.conf on your indexers and then for the instances there to be bounced.

LuiesCui
Communicator

Thank you! I'm using 6.2 on both forwarder and indexer. Just 3 more questions:
1. Can I use other fields instead of the "[yourSourcetype]", like host? If yes, what would that look like?
2. Could you show me an example of "TZvalueForYourEventTimestamps"? I'm not sure what I should put in here.

3. Can I add this stanza to the props.conf in the indexer without adding in the forwarder?
Thank you again!

0 Karma

huajieyang
New Member

which props.conf shall I take, there are many.

0 Karma

huajieyang
New Member

which props.conf shall I change?

0 Karma

woodcock
Esteemed Legend

Yes, of course, I should have used a host-based stanza header example like this:

[host::172\.0\.0\.1]

Also, it is common for the host to be embedded in the path so you could do something like this, too:

[source::/home/*/172.0.0.1/*]

LuiesCui
Communicator

I see. So Could you show me an example of "TZvalueForYourEventTimestamps"? I don't see any in the default folder. And can I add this stanza to the props.conf in the indexer without adding in the forwarder?

0 Karma

woodcock
Esteemed Legend

The docs are pretty clear:
http://docs.splunk.com/Documentation/Splunk/6.3.0/data/Applytimezoneoffsetstotimestamps
And it directs you to here:

https://en.wikipedia.org/wiki/List_of_tz_database_time_zones

This is a working example from one of my configurations:

[host::172\.0\.0\.1]
TZ = US/Central

You can add it to either the indexers or forwarders but wherever you add it, you have to restart all splunk instances.

0 Karma

LuiesCui
Communicator

Hi woodcock, I think I got some problems with this.
I have one indexer, let's call it instanceA, and three forwarders. One of the forwarders ( instanceB ) needs to be changed the timezone and the other two ( instanceC and instanceD ) don't.
As a test, I set my user's timezone in instanceA as GMT+8:00 (which is the timezone here). Then I put

[host::SYSAID7]
TZ = US/Eastern

in the props.conf in instanceB ( btw its host name is "SYSAID7").
After all this, I restarted instanceA and instanceB and found the _time of the events from instanceB were instanceB's system time still. Anything I missed or did wrong?
Update: InstanceB is sending the performance information with the system time in the events. Does it matter?

0 Karma

woodcock
Esteemed Legend

Perhaps you are under the impression that the raw event data will be changed by theses settings: it will not. These settings cause the value of field _time to be changed; the raw events will always be exactly what they were when created by the system that generated them. That is why I had you run the searches that I did.

0 Karma

woodcock
Esteemed Legend

What is the output of this search for your events?

... | dedup host sourcetype | eval date_zone=coalesce(date_zone, "N/A") | eval lagSecs=_indextime-_time | table host sourcetype date_zone lagSecs
0 Karma

LuiesCui
Communicator

The value of date_zone is "N/A" and lagSecs is like "-9" or "-10". How can I solve it?

0 Karma

woodcock
Esteemed Legend

The value of "N/A" means that there is NO valid TZ= setting in place for these events. The negative number means that events are being thrown into the future. Somehow your settings are not having effect but the numbers in the 10s concern me because there is no timezone setting that is less than 30 minutes and almost all of them are at least an hour. How can your events be 10 seconds off? It makes no sense to me.

0 Karma

LuiesCui
Communicator

Oh my bad. The system time on the instance with forwarder is like 9s or 10s later than the system time on splunk server. So I guess the lagSecs is fine. Why my settings are not working? Are my steps correct?

0 Karma

woodcock
Esteemed Legend

My test indicates your events are being timestamped correctly; why are you trying to change them?

0 Karma

LuiesCui
Communicator

The time in the logs of iis server is different from the actual time here, which may cause some weird questions. I tried changing the time of performance data with Splunk 6.2.4 and didn't work, as above. Today I tried changing the time in the logs of iis server with Splunk 6.3.0 by the way you said and worked! How does this happen? Does the Splunk version matter or the type of data?

0 Karma
Get Updates on the Splunk Community!

3 Ways to Make OpenTelemetry Even Better

My role as an Observability Specialist at Splunk provides me with the opportunity to work with customers of ...

What's New in Splunk Cloud Platform 9.2.2406?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2406 with many ...

Enterprise Security Content Update (ESCU) | New Releases

In August, the Splunk Threat Research Team had 3 releases of new security content via the Enterprise Security ...