How can i change timestamp?(Moscow Timezone inexac...

andrey2007 · ‎01-31-2013

Hello,
i have Splunk on freebsd 8.2 and i collect logs from Cisco Ips with Splunk for Cisco IPS App(using scripted input). Trouble is in timestamps, if event occurs at present moment, i see this event on splunk through some seconds, but with timestamp like this event was one hour ago. On freebsd i have Moscow timezone and correct time, time on Ips corresponds to realtime too, but in Splunk (Manager=>Your account) Moscow timezone is UTC+3, but really Moscow timezone is UTC+4. This is a problem. How can i change timestamps? Or may be somebody knows another solution for this problem.
P.s. i tryed to change props.conf for this app, may be i forgot something? this is my props.conf
[source::/opt/splunk/etc/apps/Splunk_CiscoIPS/var/log/ips_sdee.log.192.22.97.82]
[cisco_ips_syslog]
TZ = AE

yannK · ‎01-31-2013

"Moscow timezone is UTC+3, but really Moscow timezone is UTC+4"
the timezone definition comes from your system TZ tables, double check that your system is up to date on the indexers and search-heads. see in /usr/share/zoneinfo/

on linux you can try any timezone conversion of the current time with
date; export TZ=AE; date

andrey2007 · ‎01-31-2013

Yes, my system is up to date and with correct time, for testing i have one Splunk instance.

How can i change timestamp?(Moscow Timezone inexactness)

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation