Getting Data In

How to set time zone dynamically based on host name?

joesrepsolc
Communicator

I've got 95% of this new input working, but was hoping to also configure the TZ (dynamically) based on the host name value. Would like to set the correct time zone based on the hostname starting with "CA" or "KC". I have the timezone settings to add to the props.conf just can't seem to figure out how to do this based on the host name.

How can I do that in my props.conf?? dataset is the same format, so was hoping to do this in the single props.conf file.

if host=CA* then TZ=America/Chicago
if host=KC* then TZ=America/Los_Angeles

current PROPS.CONF

[sourcetype_name]
SHOULD_LINEMERGE=true
LINE_BREAKER=([\r\n]+)
NO_BINARY_CHECK=true
CHARSET=UTF-8
disabled=false
TIME_FORMAT=%Y-%m-%d %H:%M:%S.%Q
0 Karma
1 Solution

DavidHourani
Super Champion

Hi @joesrepsolc,

You can do this by including stanzas based on the host instead of sourcetype only. It should look something like that in your props.conf :

[host::CA*]
TZ = America/Chicago

[host::KC*]
TZ = America/Los_Angeles

Let me know how that works out for you.

You can see some more example here:
https://docs.splunk.com/Documentation/Splunk/7.3.1/Admin/Propsconf#props.conf.example

Cheers,
David

View solution in original post

pretzel2
Path Finder

Hello,  We have a similar but slightly different situation.   

Will implementing the host:: stanza impact ALL sourcetypes from the host caught by the filter?     

We have for example IIS logs which are in UTC and then application logs based on datacenter timezones,  CSTCDT  or ESTEDT.    We tried host:: based on hostname/datacenter/location.  But now our IIS logs are coming in, in the future.    Any suggestions? 

0 Karma

pretzel2
Path Finder

We found a solution that worked in our case.

We have windows servers in two different data centers, in different time zones. The application log files in each are using the local time zone for the timestamp.   We were going to switch based on hostname BUT that introduced problems where log file like IIS which are in UTC, everywhere. 

We found in the documentation for props.conf that if TZ for a sourcetype stanza is NOT specified, it will default (use) the servers local time stamp.  That worked for us. 

 

TZ = <timezone identifier>
* The algorithm for determining the time zone for a particular event is as
  follows:
  * If the event has a timezone in its raw text (for example, UTC, -08:00),
  use that.
  * If TZ is set to a valid timezone string, use that.
  * If the event was forwarded, and the forwarder-indexer connection uses
  the version 6.0 and higher forwarding protocol, use the timezone provided
  by the forwarder.
  * Otherwise, use the timezone of the system that is running splunkd.
* Default: empty string

 

0 Karma

DavidHourani
Super Champion

Hi @joesrepsolc,

You can do this by including stanzas based on the host instead of sourcetype only. It should look something like that in your props.conf :

[host::CA*]
TZ = America/Chicago

[host::KC*]
TZ = America/Los_Angeles

Let me know how that works out for you.

You can see some more example here:
https://docs.splunk.com/Documentation/Splunk/7.3.1/Admin/Propsconf#props.conf.example

Cheers,
David

joesrepsolc
Communicator

I just put all those into a single props.conf and it WORKS. Awesome.

So the incoming data will hit the 1st stanza (sourcetype) and process through that, and also hit the matching hostname stanza, and process through that as well. I was under the initial impression that it only matched 1 stanza, and that's where I was stuck.

Thank You.

0 Karma

nbr
Explorer

Hello joesrepsolc, 

Can you tell me how you have given the stanza for a particular host? Like below?

[sourcetype_name]
SHOULD_LINEMERGE=true
LINE_BREAKER=([\r\n]+)
NO_BINARY_CHECK=true
CHARSET=UTF-8
disabled=false
TIME_FORMAT=%Y-%m-%d %H:%M:%S.%Q

[hostname]
SHOULD_LINEMERGE=true
LINE_BREAKER=([\r\n]+)
NO_BINARY_CHECK=true
CHARSET=UTF-8
disabled=false
TIME_FORMAT=%Y-%m-%d %H:%M:%S.%Q
TZ=timezone*

0 Karma

scelikok
SplunkTrust
SplunkTrust

Hi @nbr,

You should write host based stanza like below;

[host::hostname]
SHOULD_LINEMERGE=true
LINE_BREAKER=([\r\n]+)
NO_BINARY_CHECK=true
CHARSET=UTF-8
disabled=false
TIME_FORMAT=%Y-%m-%d %H:%M:%S.%Q
TZ=timezone*
If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma

nbr
Explorer

Hello @scelikok

I have given, 

[host::hostname]
SHOULD_LINEMERGE = true
LINE_BREAKER = ([\r\n]+)
MAX_TIMESTAMP_LOOKAHEAD = 128
NO_BINARY_CHECK = true
CHARSET = UTF-8
disabled = false
TIME_FORMAT = %Y-%m-%d %H:%M:%S.%Q
TZ = Asia/Dubai

But the logs from that particular host is getting indexed in UTC timings. The server time zone has been set to UTC and that cannot be changed. Is there anything we can do from Splunk end?

I already been tried to point the time zone to datetime.xml file in the HF, but no luck. 

Tags (1)
0 Karma

DavidHourani
Super Champion

Awesome @joesrepsolc, glad to see that it worked for you !

0 Karma

Arokiaraj1991
New Member

Hi @DavidHourani ,

I have a similar kind of requirement, but I have the hostnames coming in as IPs.

There are too many IPs and difficult to add everything one by one and also, there is a possibility some new IPs also come in at later point.

Can I try something like [host::10.24.*] ?

I tried it and seems not working. If it is not possible to use wildcard with IP for host based settings, what else would you suggest?

 

Thanks,

0 Karma

DavidHourani
Super Champion

Hi there,

 

It should work with IP addresses, if your data is going through an HF before reaching an indexer then the config should be applied on the HF.

 

Let me know if it works for you!

 

Cheers,

David

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In September, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...