I have events which have timezone field whose values are UTC, America/chicago, etc.
How can I map these timezones to standard time zone.
I tried to use TZ_ALIAS, But string "America/Chicago" string should be mapped to CST/CDT based on daylight savings.
Is there any possibility to handle such situations?
Generally speaking (with exception of singapore last i checked, probably more), the codes on this page work when used with TZ setting in props.conf
https://en.wikipedia.org/wiki/List_of_tz_database_time_zones
Note, since _time extraction occurs at index time (or before sending to indexers if you're using INDEXED_EXTRACTIONS and a TIMESTAMP_FIELDS settings), the data will have to be reloaded for the changes to be seen. Also, the props should be on the indexers or first heavy forwarder the data flows through (again unless using INDEXED_EXTRACTIONS).
So first i would try American/Chicago (CaSeSenstivity Unknown), then i would try Central, then I would try the deprecated US/Central. It all else fails read the excerpt from props.conf.spec here and see if that answers any questions. Also, let know your configuration so we can be more specific, and if you dont mind sharing a sample timestamp from an event, we can help further.
TZ = <timezone identifier>
* The algorithm for determining the time zone for a particular event is as
follows:
* If the event has a timezone in its raw text (for example, UTC, -08:00),
use that.
* If TZ is set to a valid timezone string, use that.
* If the event was forwarded, and the forwarder-indexer connection is using
the 6.0+ forwarding protocol, use the timezone provided by the forwarder.
* Otherwise, use the timezone of the system that is running splunkd.
* Defaults to empty.
TZ_ALIAS = <key=value>[,<key=value>]...
* Provides splunk admin-level control over how timezone strings extracted
from events are interpreted.
* For example, EST can mean Eastern (US) Standard time, or Eastern
(Australian) Standard time. There are many other three letter timezone
acronyms with many expansions.
* There is no requirement to use TZ_ALIAS if the traditional Splunk default
mappings for these values have been as expected. For example, EST maps to
the Eastern US by default.
* Has no effect on TZ value; this only affects timezone strings from event
text, either from any configured TIME_FORMAT, or from pattern-based guess
fallback.
* The setting is a list of key=value pairs, separated by commas.
* The key is matched against the text of the timezone specifier of the
event, and the value is the timezone specifier to use when mapping the
timestamp to UTC/GMT.
* The value is another TZ specifier which expresses the desired offset.
* Example: TZ_ALIAS = EST=GMT+10:00 (See props.conf.example for more/full
examples)
* Defaults to unset.
please post a representative sample of the various events and their timezones
What is the example line for the time data and are you using the %z to parse the timezone data from the file?
Or are you configuring the TZ= per-sourcetype?
Date and time format variables explains the %z syntax