How to configure timezone for timestamps in forwar...

Jaymaree · ‎09-09-2014

Hi dear,

I have a question. The time of the logs is wrong comparing with the time of my machine which is forwarding logs. I've read somewhere I can change the locale time in props.conf, but I can't find it on my debian Splunk server.

I've looked in /etc/ etc. etc.

Thanks in advance.

Regards,

kristian_kolb · ‎09-09-2014

You should not change it on the forwarder, but on the Splunk instance where the parsing takes place. This is usually the indexer.

And props.conf can exist in many different places. And they all count, since they're merged together at runtime (when splunk restarts, or re-reads the configs).

The one place where settings will always work is in /opt/splunk/etc/system/local. Open the props.conf there and make your adjustments.

http://docs.splunk.com/Documentation/Splunk/6.1.3/Admin/Propsconf

This is a pretty short answer to what might develop into several follow-up questions. But please - do take the time to read some documentation. Especially on the topics of configuration file precedence, and the splunk data pipeline.

http://docs.splunk.com/Documentation/Splunk/6.1.3/Admin/Wheretofindtheconfigurationfiles
http://docs.splunk.com/Documentation/Splunk/6.1.3/Deploy/Datapipeline

/k

How to configure timezone for timestamps in forwarder's props.conf on Debian Splunk server?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation