Getting Data In

How to apply a timezone (TZ) props.conf entry to a rewritten source or host?


I have a datasource which includes a timestamp without a timezone forwarded from a single collection source, and some other location data in the event which I can use to categorise the data into their respective timezones.

As the data is forwarded from a single source, I cannot set the timezones at input.confs without a script to pre-process the data, which I would like to avoid. The output format of the data is fixed and I have no access to the source.

Source: foo
Sourcetype: bar
Event: AAA,foobar,AUVI,201412121738,324521345,3452345,IVXIJB1,3,0,1,2346,357,8

So we have the following props and transforms:

TIME_PREFIX = (?:[^,]*,){3}
TRANSFORMS-bar_create_host = bar_create_host

TZ = Australia/Melbourne

TZ = Australia/Sydney

TZ = Australia/Brisbane

TZ = Australia/Adelaide

REGEX = (?^AAA),(?[a-zA-Z0-9]*),(?[A-Z0-9]*)
DEST_KEY = MetaData:Host`

The host gets rewritten fine, the timestamp extracts fine, but the timezone will not apply based on the rewritten host stanza in props.conf. the date_zone field is always 'local' (should be 600 if set to Australia/Melbourne / UTC+10:00)

I have tried rewriting the source instead of the host field and setting the TZ entry under a source::foo based stanza in props.conf, I have tried setting priority of the associated props stanzas to 1 and 100 in alternating configs to no avail.

At the moment I'm stuck on using a heavy forwarder to do the host rewrite then forcing the input of the cooked data to be reparsed at the indexer so the TZ entry is honoured on a per-host or per-source basis. That is really more cumbersome than I would like.

Is this a bug or is the parsing of these events working as designed, that is you cannot set the TZ at index/parsing time by a rewritten host or source stanza?

Any assistance appreciated. I would like to avoid a scripted input if possible.

This is in a distributed install on RHEL/OEL 5 & 6 x64, Splunk version 6.1.5 on forwarders, indexers and search heads.

0 Karma

Esteemed Legend

As you noted, the problem is that you have overridden your host and you cannot use the new host value as a stanza header in props.conf; therefore, you need to trigger off of source or sourcetype and you may have more options than you suppose. The easiest option is to write your files into a directory that directly (/mydir/TZ-Central/) or indirectly (/mydir/hostx/) identifies something that you can use later with a source-based stanza header like this:

0 Karma
Get Updates on the Splunk Community!

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...

Splunkbase | Splunk Dashboard Examples App for SimpleXML End of Life

The Splunk Dashboard Examples App for SimpleXML will reach end of support on Dec 19, 2024, after which no new ...