Getting Data In

How to convert UTC to CST

martinnepolean
Explorer

We are receiving events on our syslog collector in UTC timezome. Below is the sample event.

I have configured the below props on our search head, My assumption was it will pick the searchhead timezone while showing the events in SH.but it is not converting the timezone to CT

[sourcetype]
DATETIME_CONFIG = CURRENT

Oct  8 13:59:00 x.x.x.x [Audit] User xxxxlogged in on the web GUI interface.
0 Karma

ivanreis
Builder

Please try this one at props.conf using the host

[host::server_sourcename]
TZ = US/Central

OR by source

[source::your_source]
TZ = US/Central

OR by sourcetype

[sourcetype::your_sourcetype]
TZ = US/Central

For further information, please check this document: https://answers.splunk.com/answers/135193/splunk-indexing-and-time-zone-normalization.html

0 Karma

martinnepolean
Explorer

No ivanreis, it didnt work, below is my props file content

source = /opt/syslog_ng/logs/xxx//-xxx.log

[source::/opt/syslog_ng/logs/xxx/*/*xxx.log]
TZ = US/Central

0 Karma

ivanreis
Builder

Where you are deploying this configuration?
In order to have this configuration work properly, the props.conf have to be deployed at the indexer or heavy forwarder tier to parse the timezone properly before indexing, if you are not running on a Splunk standalone instance. Use the btool to troubleshoot your configuration.

https://docs.splunk.com/Documentation/Splunk/7.3.2/Troubleshooting/Usebtooltotroubleshootconfigurati...

0 Karma

martinnepolean
Explorer

I have deployed them on indexers, I have created a new app for props file and deployed yo all index peers. But still, the time conversion is not happening.

[source::/opt/syslog_ng/logs/xxx/*/*xxx.log]
TZ = US/Central

0 Karma
Get Updates on the Splunk Community!

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Announcing the General Availability of Splunk Enterprise Security 8.1!

We are pleased to announce the general availability of Splunk Enterprise Security 8.1. Splunk becomes the only ...

Developer Spotlight with William Searle

The Splunk Guy: A Developer’s Path from Web to Cloud William is a Splunk Professional Services Consultant with ...