Are you a member of the Splunk Community?
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- How to apply Time Zone TZ = UTC to only 14 hosts o...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Let's say we have 16 hosts with the same sourcetype=devicetype
14 hosts are in UTC, 2 hosts are in EST (local) time zones.
All hosts have name that starts with the same prefix "host-": host-au, host-uk, host-sg, host-tw, etc
What's the best way to apply TZ = UTC to only 14 hosts and not to 2 that already has timestamp in local ETC format?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Apply it on hosts instead of sourcetype or create two different apps.
[host::$YOUR REGEX$]
[source::] and [host::] stanza match language:
Match expressions must match the entire name, not just a substring. If you
are familiar with regular expressions, match expressions are based on a full
implementation of PCRE with the translation of ..., * and . Thus . matches a
period, * matches non-directory separators, and ... matches any number of
any characters.
For more information see the wildcards section at:
http://docs.splunk.com/Documentation/Splunk/latest/Data/Specifyinputpathswithwildcards
https://docs.splunk.com/Documentation/Splunk/latest/admin/Propsconf
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
before you do, why the system emits data in local format? can they configure the backend to use UTC or send timezone info also in the log like an rfc3339 standard?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@koshyk, we tried. We don't have access to the vendor's devices. Their support teams claimed that they did what they could on their side by changing system time to UTC format. They also claimed that they cannot change format of syslog logs being sent.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Apply it on hosts instead of sourcetype or create two different apps.
[host::$YOUR REGEX$]
[source::] and [host::] stanza match language:
Match expressions must match the entire name, not just a substring. If you
are familiar with regular expressions, match expressions are based on a full
implementation of PCRE with the translation of ..., * and . Thus . matches a
period, * matches non-directory separators, and ... matches any number of
any characters.
For more information see the wildcards section at:
http://docs.splunk.com/Documentation/Splunk/latest/Data/Specifyinputpathswithwildcards
https://docs.splunk.com/Documentation/Splunk/latest/admin/Propsconf
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@valiquet, thank you again for suggestion. That's what I did: used [host::] with regex that would exclude two of the servers we don't need to apply different TZ.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The props.conf allows specification of TZ attribute by host as well, so you can setup stanzas for each host/host prefix (it allows wildcard for hosts) and add appropriate TZ attribute.
Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain
Splunk Lantern’s Guide to The Most Popular .conf25 Sessions
Unlock What’s Next: The Splunk Cloud Platform at .conf25
