Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to change timezone of logs?

smmehadi
Explorer
‎09-07-2012 01:27 AM

We have setup splunk in our environment, and we have logs coming in from different geographies (US/UK/Asia). The logs, all have different timestamps, so we thought of converting them to same timezone (US/EST). For this we made changes in splunk forwarder (/opt/splunkforwarder/etc/apps/search/local/props.conf) to add:
[sourcetype::log4j]
TZ = US/Eastern

but still logs are coming with original time stamp. Then we made similar changs in /opt/splunkforwarder/etc/system/local/props.conf, but that too didn't worked (we restarted forwarder after these changes).

When we made these changes in splunk server (/opt/splunk/etc/system/local/props.conf), the time of log got changed, but it was incorrect. For example "7 Sep 5 AM" of london, appeared as "6 Sep 3 PM", which isn't as expected.
can you please help and how can i debug it?

Labels (1)
Labels
Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

dwaddle
SplunkTrust
SplunkTrust
‎09-09-2012 01:35 PM

Internally, Splunk stores all times in GMT (as a C-style time_t seconds-since Jan 1 1970 00:00:00 GMT). The TZ property in props.conf tells Splunk what timezone the logfiles are from so that it can apply the proper offset to convert them to their GMT-equivalent before storing.

If the events themselves have a TZ defined in them, Splunk applies to offset based on that. Otherwise, the default TZ offset is the TZ of the system that parses the events - which will be either the Indexer or a Heavy Forwarder.

At search time, Splunk 4.3 allows lets you search in your current time zone as defined for your user, and events will be displayed at search time in that time zone.

View solution in original post

Reply
Solved! Jump to solution

Rashish
New Member
‎03-01-2023 03:26 AM

Hi Guys,

We am running in the similar issues. We are collecting windows security, registry changes & linux auth logs using UF which forwards data to IUF and then to Splunk Cloud indexers.  The issue is we have the logs sources located in multiple geo location and each geo location has local IUF's hosted. However, we see some of the sources windows/linux servers are showing data in future.

How do we solve this?

0 Karma
Reply
Solved! Jump to solution
Solution

dwaddle
SplunkTrust
SplunkTrust
‎09-09-2012 01:35 PM

Internally, Splunk stores all times in GMT (as a C-style time_t seconds-since Jan 1 1970 00:00:00 GMT). The TZ property in props.conf tells Splunk what timezone the logfiles are from so that it can apply the proper offset to convert them to their GMT-equivalent before storing.

If the events themselves have a TZ defined in them, Splunk applies to offset based on that. Otherwise, the default TZ offset is the TZ of the system that parses the events - which will be either the Indexer or a Heavy Forwarder.

At search time, Splunk 4.3 allows lets you search in your current time zone as defined for your user, and events will be displayed at search time in that time zone.

Reply
Solved! Jump to solution

srisplunk12
Engager
‎01-17-2017 01:01 PM

Hi dwaddle., we are having a similar issue where one of the windows server is sending the log files in GMT but the splunk server is showing only for EST ,so we are receiving the files but with a latency.. So do i need to make changes in the UF that is installed on the windows system that is sending to HF which is connected to Cloud.
Also which phrase in prop.s conf i have the make these changes , can you pls help..

0 Karma
Reply
Solved! Jump to solution

RickCurry
Explorer
‎07-18-2017 08:45 AM

I suggest that you consider opening a new question and make a reference to the one which you have a similar need. It is likely that the only people that will see your question added to the old question are those like me who got here from the results of a search looking for this type of information. Using our own, new question will help assure that it is presented to the group and more likely get the attention it deserves.

To answer your question, the changed indicated above by @dwaddle go into the Indexer (or Heavy Forwarder) props.conf file in the stanza setup for your sourcetype.

0 Karma
Reply
Solved! Jump to solution

dwaddle
SplunkTrust
SplunkTrust
‎09-10-2012 07:18 AM

Excellent. Could you please click the accepted-answer checkbox so this will be marked as solved?

Reply
Solved! Jump to solution

smmehadi
Explorer
‎09-09-2012 10:00 PM

Thanks, this resolved the issue.

0 Karma
Reply
Solved! Jump to solution

smmehadi
Explorer
‎09-07-2012 01:41 AM

expected time is "6 Sep 12 PM" (a difference of 5 hour from London time).

0 Karma
Reply
Get Updates on the Splunk Community!

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...

Enterprise Security Content Update (ESCU) | New Releases

In October, the Splunk Threat Research Team had one release of new security content via the Enterprise ...