How to pull timezone from a field in each event?

rmjohns · ‎05-12-2023

Our server is forwarding events for us and includes some extra fields at the beginning of each event. One of those fields is the timezone offset of the server.

So the event might look like:

domain,hostname,timezone,path,log_message

Where the log_message contains a timestamp but the timestamp can be in different locations in the log_message and the timestamp can have different formats. The timestamp does not include timezone information.

Splunk does a good job of finding the timestamps and creating the _time to match, but I can't figure out how to apply the timezone field.

I really want to have in my props.conf to have TZ= reference the timezone field from the events:
TZ=timezone

but that doesn't seem to work.

rmjohns · ‎05-12-2023

Surprisingly, it seems to work if I add a TIMESTAMP_FIELDS line to the bottom of the source type section like:

[LOGDATA]
EXTRACT-LOG = ^(?<domain>[^,]+),(?<host>[^,]+),[^,]+,[^,]+,[^,]+,(?<timezone>[^,]+),(?<sourcename>[^,]+),(?<TEXT>.+)$
TIME_FORMAT = %m/%d/%Y %H:%M:%S
TIMESTAMP_FIELDS = _time, timezone

Splunk must create the _time field and then update it with the timezone?

How to pull timezone from a field in each event?

props.conf

Index This | What is broken 80% of the time by February?

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Splunk MCP & Agentic AI: Machine Data Without Limits

Join the Conversation

How to pull timezone from a field in each event?

props.conf

Index This | What is broken 80% of the time by February?

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Splunk MCP & Agentic AI: Machine Data Without Limits