I've got 95% of this new input working, but was hoping to also configure the TZ (dynamically) based on the host name value. Would like to set the correct time zone based on the hostname starting with "CA" or "KC". I have the timezone settings to add to the props.conf just can't seem to figure out how to do this based on the host name.
How can I do that in my props.conf?? dataset is the same format, so was hoping to do this in the single props.conf file.
if host=CA* then TZ=America/Chicago
if host=KC* then TZ=America/Los_Angeles
current PROPS.CONF
[sourcetype_name]
SHOULD_LINEMERGE=true
LINE_BREAKER=([\r\n]+)
NO_BINARY_CHECK=true
CHARSET=UTF-8
disabled=false
TIME_FORMAT=%Y-%m-%d %H:%M:%S.%Q
Hi @joesrepsolc,
You can do this by including stanzas based on the host
instead of sourcetype
only. It should look something like that in your props.conf
:
[host::CA*]
TZ = America/Chicago
[host::KC*]
TZ = America/Los_Angeles
Let me know how that works out for you.
You can see some more example here:
https://docs.splunk.com/Documentation/Splunk/7.3.1/Admin/Propsconf#props.conf.example
Cheers,
David
Hello, We have a similar but slightly different situation.
Will implementing the host:: stanza impact ALL sourcetypes from the host caught by the filter?
We have for example IIS logs which are in UTC and then application logs based on datacenter timezones, CSTCDT or ESTEDT. We tried host:: based on hostname/datacenter/location. But now our IIS logs are coming in, in the future. Any suggestions?
We found a solution that worked in our case.
We have windows servers in two different data centers, in different time zones. The application log files in each are using the local time zone for the timestamp. We were going to switch based on hostname BUT that introduced problems where log file like IIS which are in UTC, everywhere.
We found in the documentation for props.conf that if TZ for a sourcetype stanza is NOT specified, it will default (use) the servers local time stamp. That worked for us.
TZ = <timezone identifier> * The algorithm for determining the time zone for a particular event is as follows: * If the event has a timezone in its raw text (for example, UTC, -08:00), use that. * If TZ is set to a valid timezone string, use that. * If the event was forwarded, and the forwarder-indexer connection uses the version 6.0 and higher forwarding protocol, use the timezone provided by the forwarder. * Otherwise, use the timezone of the system that is running splunkd. * Default: empty string
Hi @joesrepsolc,
You can do this by including stanzas based on the host
instead of sourcetype
only. It should look something like that in your props.conf
:
[host::CA*]
TZ = America/Chicago
[host::KC*]
TZ = America/Los_Angeles
Let me know how that works out for you.
You can see some more example here:
https://docs.splunk.com/Documentation/Splunk/7.3.1/Admin/Propsconf#props.conf.example
Cheers,
David
I just put all those into a single props.conf and it WORKS. Awesome.
So the incoming data will hit the 1st stanza (sourcetype) and process through that, and also hit the matching hostname stanza, and process through that as well. I was under the initial impression that it only matched 1 stanza, and that's where I was stuck.
Thank You.
Hello joesrepsolc,
Can you tell me how you have given the stanza for a particular host? Like below?
[sourcetype_name]
SHOULD_LINEMERGE=true
LINE_BREAKER=([\r\n]+)
NO_BINARY_CHECK=true
CHARSET=UTF-8
disabled=false
TIME_FORMAT=%Y-%m-%d %H:%M:%S.%Q
[hostname]
SHOULD_LINEMERGE=true
LINE_BREAKER=([\r\n]+)
NO_BINARY_CHECK=true
CHARSET=UTF-8
disabled=false
TIME_FORMAT=%Y-%m-%d %H:%M:%S.%Q
TZ=timezone*
Hi @nbr,
You should write host based stanza like below;
[host::hostname]
SHOULD_LINEMERGE=true
LINE_BREAKER=([\r\n]+)
NO_BINARY_CHECK=true
CHARSET=UTF-8
disabled=false
TIME_FORMAT=%Y-%m-%d %H:%M:%S.%Q
TZ=timezone*
Hello @scelikok
I have given,
[host::hostname]
SHOULD_LINEMERGE = true
LINE_BREAKER = ([\r\n]+)
MAX_TIMESTAMP_LOOKAHEAD = 128
NO_BINARY_CHECK = true
CHARSET = UTF-8
disabled = false
TIME_FORMAT = %Y-%m-%d %H:%M:%S.%Q
TZ = Asia/Dubai
But the logs from that particular host is getting indexed in UTC timings. The server time zone has been set to UTC and that cannot be changed. Is there anything we can do from Splunk end?
I already been tried to point the time zone to datetime.xml file in the HF, but no luck.
Awesome @joesrepsolc, glad to see that it worked for you !
Hi @DavidHourani ,
I have a similar kind of requirement, but I have the hostnames coming in as IPs.
There are too many IPs and difficult to add everything one by one and also, there is a possibility some new IPs also come in at later point.
Can I try something like [host::10.24.*] ?
I tried it and seems not working. If it is not possible to use wildcard with IP for host based settings, what else would you suggest?
Thanks,
Hi there,
It should work with IP addresses, if your data is going through an HF before reaching an indexer then the config should be applied on the HF.
Let me know if it works for you!
Cheers,
David