Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How does timezone assignment work for timezoneless events with one or more Intermediate Forwarders?

muebel
SplunkTrust
SplunkTrust
‎04-21-2016 11:08 AM

One of the new features in Splunk 6.0+ is the capability of a forwarder assigning a timezone to an event in the situation where the timestamp can't be parsed from the raw event, and there isn't any props configuration assigning a timezone. This assignment is described as being based on the OS of the forwarder, and ultimately the Indexer itself. Events like this show up as "date_zone = local"

I hoping that somebody has some experience with this interaction, and can explain what happens when you have one or more Intermediate forwarders (source Universal Forwarder sends to Intermediate "Heavy Forwarder" which sends to an Indexer, or even another Heavy Forwarder).

Assuming the whole chain is 6.0+, should we expect the timezone assigned at the Universal Forwarder and stay that way? Or does the assignment happen when the data is "cooked" at the Heavy Forwarder? Or does it happen whenever the event passes through a pipeline at all?

Thanks for any help!

0 Karma
Reply

ryanoconnor
Builder
‎07-07-2016 05:09 AM

Have you taken a look at this page? http://docs.splunk.com/Documentation/Splunk/6.4.1/Data/Applytimezoneoffsetstotimestamps#How_Splunk_a...

Assuming the whole chain is 6.0+, you should expect the data to use the timezone provided by the UF provided there is no explicit props.conf file specifying the timezone and if the raw event data doesn't contain a timezone.

0 Karma
Reply

dflodstrom
Builder
‎11-08-2016 12:59 PM

It looks like there is one catch according to this page: link text

Additionally, forwarders do not maintain the timezone transmission feature across intermediate forwarding tiers when those tiers consist solely of light or universal forwarders.

0 Karma
Reply

muebel
SplunkTrust
SplunkTrust
‎06-29-2016 08:45 AM

So, while reading the Forwarder Manual I came across this passage:

Timezone transmission by the forwarder. Additionally, forwarders do not maintain the timezone transmission feature across intermediate forwarding tiers when those tiers consist of light or universal forwarders.

This seems to have some relevance to the initial question, but still doesn't seem quite clear what the expected behavior should be.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...