Getting Data In

How do I edit configurations to correct the timezone for UTC proxy logs?

daniel_augustyn
Contributor

Something is wrong with the BlueCoat proxy logs in Splunk. I am pulling them from the FTP server, and this server has already been set up to logging in UTC time zone. And at the top of it, the Splunk configs are adding UTC to it, so the logs are way ahead of time. How should I fix them?

0 Karma
1 Solution

rfaircloth_splu
Splunk Employee
Splunk Employee

Add the following to props.conf for your source type. This is index time so you will need to deploy to your indexer(s) in a distributed environment.

[sourcetype]

TZ=UTZ

View solution in original post

0 Karma

daniel_augustyn
Contributor

Here is the answer for the issue:

https://answers.splunk.com/answers/149955/last-15-min-refers-to-event-time-or-index-time.html

That refers to the event's time, namely the _time field.

All times in the UI are in the Splunk user's timezone, which defaults to the Search Head timezone.
For indexing other timezones where the event doesn't specify the timezone you can set the timezone for a host in props.conf like this:

[host::some_host]
TZ = timezone
See http://docs.splunk.com/Documentation/Splunk/6.1.3/Admin/propsconf for reference.

If you want to search for the last 15 minutes by index time you can search over all time using this:

_index_earliest=-15m _index_latest=now actual search goes here

0 Karma

rfaircloth_splu
Splunk Employee
Splunk Employee

Add the following to props.conf for your source type. This is index time so you will need to deploy to your indexer(s) in a distributed environment.

[sourcetype]

TZ=UTZ

0 Karma

rfaircloth_splu
Splunk Employee
Splunk Employee

I had a typo should be TZ=UTC

0 Karma

Richfez
SplunkTrust
SplunkTrust

You can set the TZ of the log on the input. You may find it beneficial to read through this doc on specifying timezones to get an understanding of how this works.

For the additional amount they're off - what TZ are you in and what TZ is your Splunk UI set to?

daniel_augustyn
Contributor

I think I am lost a bit here. I had this set up in props.conf file in the search head, indexers, and UF. But since the logs were already in UTC, I turned it off. I also changed the sourcetype logs to auto and the Splunk UI to auto as well. Still the time in the first column _time, it's not the same as in the logs.

0 Karma

esix_splunk
Splunk Employee
Splunk Employee

If _time doesnt match the actual time field in the logs, then you need to configure the props on the HF or Indexer that is processing these to match the actual timestamp. Sounds like there are multiple fields for the timestamp and perhaps Splunk is getting confused.

On another note, what is your user's timezone set to in preferrences? That will also effect the time offset as displayed in the GUI.

0 Karma

daniel_augustyn
Contributor

Splunk is adding UTC at the top of UTC, how to disable it:
NOW TIME PST: 3:49PM

TIME: 1/20/16 7:39:14.000 AM
EVENT: 2016-01-19 23:39:14 231 10.140.0.183 - - ads.adaptv.advertising.com 54.86.77.158 None - - PROXIED "Web Ads/Analytics" - 200 TCP_NC_MISS GET text/xml http ads.adaptv.advertising.com 80 /a/h/KXTWGX4WxNeaD38bcnC7yB43KpcLA4ukePD1RzMwavokLbuUhVT_l07lWY9maO1p ?cb=891797433&pageUrl=about%3ablank%23ifrndnlocgoogle&description=&duration=[LR_DURATION]&id=&keywords=VIDEO_KEYWORDS&title=&url=[LR_VIDEO_URL]&eov=eov - "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0" 172.16.140.11 1184 13488 - "none" "none" none

0 Karma

rfaircloth_splu
Splunk Employee
Splunk Employee

Splunk does not know the time zone and is assuming or has TZ=UTC change the TZ=Value to the correct timezone

0 Karma

daniel_augustyn
Contributor

I have UTC across the board and still same issue:

Splunk User UI - UTC
Indexers - TZ = UTC
SH = UTC
Sourcetype = UTC

?

0 Karma

MuS
Legend

It's maybe worth reading this docs http://docs.splunk.com/Documentation/Splunk/6.3.2/Data/HowSplunkextractstimestamps and also check the users time zone setting in the UI settings » Access controls » Users

0 Karma

daniel_augustyn
Contributor

None of this work! When I have UI in UTC, my logs are ahead of 8 hours at the top of UTC (16 hours from the local) and I can't do searches on these logs. When I change UI to PST (local time) everything looks fine. But I can't do searches either, since the searches are done in PST, and I am loosing 8 hours, the difference from PST to UTC.

0 Karma

daniel_augustyn
Contributor

How do I change default searches (last 15 min, last 60 min, etc) to search based on UTC time? I changed UI time to PST and the logs are ok now:
PST local time: 4:41PM
Time: 1/19/16
11:39:14.000 PM
Event: 2016-01-19 23:39:14 231 10.140.0.183 - - ads.adaptv.advertising.com 54.86.77.158 None - - PROXIED "Web Ads/Analytics" - 200 TCP_NC_MISS GET text/xml http ads.adaptv.advertising.com 80 /a/h/KXTWGX4WxNeaD38bcnC7yB43KpcLA4ukePD1RzMwavokLbuUhVT_l07lWY9maO1p ?cb=891797433&pageUrl=about%3ablank%23ifrndnlocgoogle&description=&duration=[LR_DURATION]&id=&keywords=VIDEO_KEYWORDS&title=&url=[LR_VIDEO_URL]&eov=eov - "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0" 172.16.140.11 1184 13488 - "none" "none" none

but the default search are searching based on PST time, not UTC.

0 Karma
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...