How to pull timezone from a field in each event?

rmjohns · ‎05-12-2023

Our server is forwarding events for us and includes some extra fields at the beginning of each event. One of those fields is the timezone offset of the server.

So the event might look like:

domain,hostname,timezone,path,log_message

Where the log_message contains a timestamp but the timestamp can be in different locations in the log_message and the timestamp can have different formats. The timestamp does not include timezone information.

Splunk does a good job of finding the timestamps and creating the _time to match, but I can't figure out how to apply the timezone field.

I really want to have in my props.conf to have TZ= reference the timezone field from the events:
TZ=timezone

but that doesn't seem to work.

rmjohns · ‎05-12-2023

Surprisingly, it seems to work if I add a TIMESTAMP_FIELDS line to the bottom of the source type section like:

[LOGDATA]
EXTRACT-LOG = ^(?<domain>[^,]+),(?<host>[^,]+),[^,]+,[^,]+,[^,]+,(?<timezone>[^,]+),(?<sourcename>[^,]+),(?<TEXT>.+)$
TIME_FORMAT = %m/%d/%Y %H:%M:%S
TIMESTAMP_FIELDS = _time, timezone

Splunk must create the _time field and then update it with the timezone?

How to pull timezone from a field in each event?

props.conf

Unlock Database Monitoring with Splunk Observability Cloud

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk

Join the Conversation

How to pull timezone from a field in each event?

props.conf

Unlock Database Monitoring with Splunk Observability Cloud

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk