Hi All, Currently we got a request to adjust the time zone based on the Plant location from where the firewall logs are being sent to the splunk Heavy Forwarder instances and then get indexed in the individual indexer instances. Likewise in our environment HF instances act as the syslog servers.
Exact requirement:
Want to adjust the time zone based on the Plant location. Currently we could see all the data's are indexed with EDT time zone. There 13 different plant location from where the firewall logs are sent and mostly they all fall under these time Zone EST and CST, except for one plant located in Malaysia GMT -7.
Below configuration details are set in customized app called Test-IA-guard and Test-TA-guard and both this app are placed in HF instances.
Test-IA-guard are configured with inputs.conf stanza.
[monitor:///opt/syslogs/guard/.../guard.log*]
index=firewall
sourcetype=guard:network:firewall
host_segment = 4
Note : Props.conf and transforms.conf are configured based on setting per-event Host name.
We have more than 200 nodes configured base on per-event Host name.
Test-TA-mguard configured with props & transforms.
Props.conf details :
[host::10.X.X.X]
TRANSFORMS-guard_rename = guard_rename_Host1
Transforms.conf details:
[guard_rename_Host1]
REGEX = .
DEST_KEY = MetaData:Host
FORMAT = host::guard-Line1
And we know that we can configure the timezone in props.conf using the TZ stanza either with sourcetype, host and source. But not sure how to configure time zone for 13 different location using same props.conf stanza. Kindly guide me how to configure the timezone based on different location.
thanks in advance.
Give this a try
Test-TA-mguard configured with props & transforms. (assuming there isa props/transform entry for each host/node)
Props.conf details :
[host::10.X.X.X]
TRANSFORMS-guard_rename = guard_rename_Host1
#Host in EST
TZ = EST
[host::10.X.X.X]
TRANSFORMS-guard_rename = guard_rename_Host2, set_tz_myt
#Host in Malaysia
TZ = MYT
Hi Somesoni2, thanks for your effort, as I had commented earlier, that we have Test-TA-mguard configured with props & transforms and all the plant data from different locations are filtered based on setting per-event Host name.
Example: Plant from Malaysia
Props.conf
[host::10.X.X.X]
TRANSFORMS-guard_rename = guard_rename_Host1
Next set of host from EST location configured in same props.conf file, filtered by their host name
[host::10.X.X.X]
TRANSFORMS-guard_rename = guard_rename_Host4
TZ = EST
Lilke wise we have 13 different plant locations host are mentioned in the same props.conf files. And we have almost 200 + host from these 13 location sending the data.
Question :
How will the splunk understands that first set of three hosts are from Malaysia and second set of hosts are from EST location as all the hosts details are mentioned continuously in same props files. Though all the hosts have different host name/IP address.
thanks in advance.
Hi Somesoni2, Good Morning, As I had mentioned in the above comment, How will the splunk understands that first set of three hosts are from Malaysia, second set of hosts are from EST and third set of hosts are from CST location as all the hosts details are mentioned continuously in same props files. Though all the hosts have different host name/IP address.
OR Do we need to mention the TZ stanza in each and every host name individually for 200 + host names mentioned in props.conf as shown below.
Example: Plant from Malaysia ( First 3 different host )
Props.conf
[host::10.X.X.X]
TRANSFORMS-guard_rename = guard_rename_Host1
TZ = GMT -7
#Host in EST
[host::10.X.X.X]
TRANSFORMS-guard_rename = guard_rename_Host4
TZ = EST
[host::10.X.X.X]
TRANSFORMS-guard_rename = guard_rename_Host7
TZ = CST
Another important doubt to be clarified, that all our splunk instance are at EDT time zone, so should we need to adjust anything for day light saving in the above stanza ?
Kindly guide me on this.
YOu would need to specify the TZ attribute in each of the host stanza.
For automatically handling DST, specify the TZ according to the table listed in this page.
https://en.wikipedia.org/wiki/List_of_tz_database_time_zones#List
Is the plant location logged somewhere in the raw data OR file path? OR are their specific host name/prefix for each plant?
Hi Somesoni2 thanks for your quick response on this, hey all plant are separated with specific host name and IP address, we use the below query to filter each plant based on the host.
Example:
index=firewall sourcetype=guard:network:firewall host="elspc0*"
11/3/17
1:04:28.000 PM
Nov 3 13:04:28 10.15.13.240 2017-11-03_17:04:28.02540 <13>Nov 3 12:04:28 memlog: 1947 root 2976 S /Packages/ssh_0/sbin/sshd -D -f /etc/sshd/sshd_config
host = elspc001 source = /opt/syslogs/guard/10.x.x.x/guard.log sourcetype = guard:network:firewall
likewise for each plant contains different set of host name sending the firewall data to HF instances.
As I had stated earlier in my comment, that Props.conf and transforms.conf are configured based on setting per-event Host name concept.
Kindly guide me how to adjust the time zone based on the plant location.
thanks in advance.