Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to configure Splunk to convert the UTC timezone of my server into my local EST timezone?

magneto417x
New Member
‎02-23-2017 08:42 AM

I have and MHN server sending data to Splunk and it is being sent in UTC time. When I go in Splunk, I have event data that is 5 hours into the future because I'm in the eastern timezone. How can I fix this issue? Thanks

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎02-23-2017 09:55 AM

Add TZ = UTC to the relevant stanza of your props.conf file.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

magneto417x
New Member
‎02-23-2017 09:57 AM

Which props.conf and how do you I determine relevant stanza???

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎02-23-2017 10:05 AM

The relevant stanza is the one matching the sourcetype of the event. It could be in any props.conf file, but you can find it using btool.

splunk btool --debug inputs list <sourcetype>

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

magneto417x
New Member
‎02-23-2017 10:13 AM

I ran that command with source type mhn-splunk and it returned nothing 😞

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎02-23-2017 10:37 AM

Make sure you pass the right sourcetype name to btool. Case is significant.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

magneto417x
New Member
‎02-23-2017 10:39 AM

I grabbed the sourcetype out of splunk web interface. Looked at a few events and they all said

sourcetype=mhn-splunk

ran command splunk btool --debug inputs list mhn-splunk

no results came back

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎02-23-2017 10:46 AM

My mistake. btool should be looking at props.

splunk btool --debug props list mhn-splunk
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

magneto417x
New Member
‎02-23-2017 10:48 AM

Nothing returned using that either

0 Karma
Reply

magneto417x
New Member
‎02-23-2017 08:56 AM

Example of event sent to splunk. When Splunk gets it says it happened at 4:49pm Est when it actually happened at 11:49am Est

2017-02-23T16:49:45.582791 direction="inbound", protocol="ip", ids_type="network", dest="192.000.000.231", ssh_username="user", app="cowrie", transport="tcp", dest_port="22", src="203.00.000.73", src_port="54187", severity="high", vendor_product="Cowrie", sensor="f1abd5b4-f2ed-11e6-a7c2-00155d3f1218", ssh_password="cyprus1", signature="SSH login attempted on cowrie honeypot", ssh_version="SSH-2.0-libssh-0.1", type="cowrie.sessions"
0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

&#x1f342; Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...