Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to set the time zone in an index?

renanprado96
Path Finder
‎07-14-2016 12:15 PM

I want to set the time zone in an index.
The time zone is GMT -03: 00 (São Paulo - Brazil).
How do I do that?

Thank you!

0 Karma
Reply

woodcock
Esteemed Legend
‎07-14-2016 01:01 PM

The link provided in the other answer is a bit out of date and things have changed.

The highest precedence for TZ settings is an explicit value inside any event (provided the TIME_FORMAT is configured to see it). If this is not in place, then the next highest precedence for TZ settings is the props.conf that is on the forwarder, then the one on the Indexers. You can override the TZ setting inside the event by using TZ_ALIAS. There is no spec for index inside props.conf; there is only this:

<spec> can be:
1. <sourcetype>, the source type of an event.
2. host::<host>, where <host> is the host, or host-matching pattern, for an
                 event.
3. source::<source>, where <source> is the source, or source-matching
                     pattern, for an event.
4. rule::<rulename>, where <rulename> is a unique name of a source type
                     classification rule.
5. delayedrule::<rulename>, where <rulename> is a unique name of a delayed
                            source type classification rule.
                            These are only considered as a last resort
                            before generating a new source type based on the
                            source seen.

So you will have to work with sourcetype specification stanzas instead, which should be no problem.
http://docs.splunk.com/Documentation/Splunk/6.4.2/Admin/Propsconf

Reply

renanprado96
Path Finder
‎07-15-2016 11:09 AM

Hello, have not worked yet.
What did I do wrong?

[dbcmp_csv]
EXTRACT-jobname_ricoh = ^(?P<jobname_ricoh>\d+_&\d+&)
FIELD_NAMES = ClienteERP,Aplicacao,ClienteAplicacao,idHistoricoProducao,DataHoraInicio,DataHoraTermino,Quantidade,idEtapa,NomeArquivoImpressao,CentroImpressao,TipoProduto,FormatoPapel,Maquina,GrupoMaquina,Fabricante,SituacaoArqImpressao,SituacaoLote
INDEXED_EXTRACTIONS = csv
TIME_PREFIX = .{0,}DataHoraTermino=
TIME_FORMAT = %s%3N
TZ = GMT
TZ_ALIAS = GMT = GMT-3:00
FIELD_DELIMITER = ,
KV_MODE = none
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
category = Structured
description = Comma-separated value format. Set header and other settings in "Delimited Settings"
disabled = false
pulldown_type = true

Thank you!

0 Karma
Reply

woodcock
Esteemed Legend
‎07-15-2016 11:48 AM

Show me a sample event first. There is no way to validate your configurations otherwise.

0 Karma
Reply

renanprado96
Path Finder
‎07-15-2016 12:17 PM

In these samples the time should be at least 3 hours ago.

"2015-07-24 11:50:41" DATAAREAID="206", RECID=5637144596, DATAAREAID#2="206", ITEMID="002.0001.171", TRANSDATE=1437706800000, SUMOFQTYSEND=1.000000000000, SUMOFQTYRET=0E-12, RECIDLINE=5637184982, TRANSDATETIME=1437749441000, TRANSDATETIMETZID=37001, DATAAREAID#3="206", ITEMNAME="PRINT-INS-RICOH 5000 TINTA DYE PLUS BLACK"


"2015-07-24 11:50:41" DATAAREAID="206", RECID=5637144589, DATAAREAID#2="206", ITEMID="002.0001.163", TRANSDATE=1437706800000, SUMOFQTYSEND=1.000000000000, SUMOFQTYRET=0E-12, RECIDLINE=5637184981, TRANSDATETIME=1437749441000, TRANSDATETIMETZID=37001, DATAAREAID#3="206", ITEMNAME="PRINT-INS-TINTA PIGMENTADA PARA COLORSTREAM COR CYAN"
0 Karma
Reply

woodcock
Esteemed Legend
‎07-15-2016 02:14 PM

Your field names do not match the data in the events that you posted. Which is correct? Which field is the tmiestamp?

0 Karma
Reply

renanprado96
Path Finder
‎07-18-2016 11:00 AM

It is possible to do this for search?

0 Karma
Reply

woodcock
Esteemed Legend
‎07-19-2016 07:42 AM

Because you have opened another question for this and that one is progressing, the right thing to do is to pick the best "can't do that" answer in this question and click Accept to close this question.
https://answers.splunk.com/answers/432855/how-to-configure-the-timezone-by-sourcetype.html#comment-4...

0 Karma
Reply

renanprado96
Path Finder
‎07-18-2016 06:12 AM

True, sorry!!

[dynamicsAX_csv]
FIELD_NAMES = DATAAREAID,RECID,DATAAREAID2,ITEMID,TRANSDATE,SUMOFQTYSEND,SUMOFQTYRET,RECIDLINE,TRANSDATETIME,DATAAREAID3,ITEMNAME
INDEXED_EXTRACTIONS = csv
TIME_PREFIX = .{0,}TRANSDATETIME=
TIME_FORMAT = %s%3N
TZ = GMT
TZ_ALIAS = GMT = GMT-3:00
FIELD_DELIMITER = ,
KV_MODE = none
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
category = Structured
description = Comma-separated value format. Set header and other settings in "Delimited Settings"
disabled = false
pulldown_type = true

I sent the wrong, but I applied in correct.
It was just a mess when sending.

0 Karma
Reply

muebel
SplunkTrust
SplunkTrust
‎07-14-2016 12:47 PM

Hi renanprado96, Unfortunately a timezone can't be associated with an index. Rather, each event has a timezone specified. In the best case this timezone is pulled directly from the event itself (the timestamp has a timezone splunk can recognize, or be configured to recognize)

Past that, in version 6.0+ Splunk will leverage the timezone set in the OS of the forwarding host. Finally, it will use the timezone of the indexer.

Timezone can also be configured on a per host/source/sourcetype manner by configuring as such in props.conf like so:

[host::nyc*]
TZ = US/Eastern

More info can be found here : http://docs.splunk.com/Documentation/Splunk/6.4.2/Data/Applytimezoneoffsetstotimestamps

Please let me know if this answers your question! 😄

Reply

renanprado96
Path Finder
‎07-15-2016 11:07 AM

Hello, have not worked yet.
What did I do wrong?

[dbcmp_csv]
EXTRACT-jobname_ricoh = ^(?P<jobname_ricoh>\d+_&\d+&)
FIELD_NAMES = ClienteERP,Aplicacao,ClienteAplicacao,idHistoricoProducao,DataHoraInicio,DataHoraTermino,Quantidade,idEtapa,NomeArquivoImpressao,CentroImpressao,TipoProduto,FormatoPapel,Maquina,GrupoMaquina,Fabricante,SituacaoArqImpressao,SituacaoLote
INDEXED_EXTRACTIONS = csv
TIME_PREFIX = .{0,}DataHoraTermino=
TIME_FORMAT = %s%3N
TZ = America/Sao_Paulo
FIELD_DELIMITER = ,
KV_MODE = none
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
category = Structured
description = Comma-separated value format. Set header and other settings in "Delimited Settings"
disabled = false
pulldown_type = true

Thanks!

0 Karma
Reply

muebel
SplunkTrust
SplunkTrust
‎07-15-2016 11:32 AM

Is this props config set on the receiver? (heavy forwarder/indexer)

Setting on the Universal Forwarder isn't enough for it to be effective.

0 Karma
Reply

renanprado96
Path Finder
‎07-18-2016 11:00 AM

It is possible to do this for search?

0 Karma
Reply

renanprado96
Path Finder
‎07-15-2016 11:40 AM

This configuration is defined in the Splunk server, the data is sent to a SQL database connected by dbConnect v2

0 Karma
Reply

muebel
SplunkTrust
SplunkTrust
‎07-15-2016 11:13 AM

Hmm, my guess is that there is something up with the time_prefix and/or time_format config. From the spec:

If the TIME_PREFIX cannot be found in the event text, timestamp extraction will not occur.
0 Karma
Reply

renanprado96
Path Finder
‎07-15-2016 11:25 AM

TIME_PREFIX removed and still did not work :'(
I had already tried to removed it
I do not know what to do ..

0 Karma
Reply

ddrillic
Ultra Champion
‎07-14-2016 12:35 PM

A good discussion at How and where does splunk determine host time zone ?

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...