Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to pull timezone from a field in each event?

rmjohns
Explorer
‎05-12-2023 11:32 AM

Our server is forwarding events for us and includes some extra fields at the beginning of each event. One of those fields is the timezone offset of the server. 

So the event might look like: 

domain,hostname,timezone,path,log_message

Where the log_message contains a  timestamp but the timestamp can be in different locations in the log_message and the timestamp can have different formats. The timestamp does not include timezone information. 

Splunk does a good job of finding the timestamps and creating the _time to match, but I can't figure out how to apply the timezone field. 

I really want to have in my props.conf to have TZ= reference the timezone field from the events:
TZ=timezone

but that doesn't seem to work. 

Labels (1)
Labels
Tags (2)
0 Karma
Reply

rmjohns
Explorer
‎05-12-2023 01:23 PM

Surprisingly, it seems to work if I add a TIMESTAMP_FIELDS line to the bottom of the source type section like:

[LOGDATA]
EXTRACT-LOG = ^(?<domain>[^,]+),(?<host>[^,]+),[^,]+,[^,]+,[^,]+,(?<timezone>[^,]+),(?<sourcename>[^,]+),(?<TEXT>.+)$
TIME_FORMAT = %m/%d/%Y %H:%M:%S
TIMESTAMP_FIELDS = _time, timezone

 

Splunk must create the _time field and then update it with the timezone? 

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...