Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Highlighted
Solved! Jump to solution

IIS + DST = Time Conversion Problem

Justin
Path Finder
‎06-01-2012 05:58 PM

I have been searching the forums for a solution to my problem, but have not found a solution that has worked. So I decided to try asking.

I have a remote server running IIS that has Splunk (4.3.1) installed and setup as a lightweight forwarder. I have Splunk grabbing the local IIS logs and sending them to my main Splunk (4.3.1) indexer. On the remote system, I have not made any changes to conf files. On the indexer, I setup the props.conf file with this:

[iis-3]
pulldown_type = true 
MAX_TIMESTAMP_LOOKAHEAD = 32
SHOULD_LINEMERGE = False
REPORT-iis_default = iis_referer
TRANSFORMS-comment = comment
TZ=Europe/London

"iis-3" is the sourcetype and "iis_referer" is the transforms mapping that I created.

The logs are being parsed fine for all their values except the time. The time zone setting of "Europe/London" was working correctly until the last Daylight Savings Time (DST) change. The index server and I are in "America/Los_Angeles". The indexer retrieves time from an NTP server and is set to the correct time and time zone. If I run a query to see the latest event in the IIS log, it shows the latest event (in a Splunk translated time) of 1 hour earlier than what it should be showing.

Do I need to use another TZ value or something else?

Tags (4)
0 Karma
Reply
1 Solution
Highlighted
Solved! Jump to solution

Re: IIS + DST = Time Conversion Problem

lguinn2
Legend
‎06-04-2012 01:36 PM

I thought that IIS logs were always stored in UTC. If so, your setting should say

TZ=UTC

I wonder if perhaps you have been affected by "British Summer Time" - as Europe/London would be affected by that, while UTC would not... I don't think the problem is caused by the "America/Los Angeles" setting.

0 Karma
Reply
Highlighted
Solved! Jump to solution
Solution

Re: IIS + DST = Time Conversion Problem

Justin
Path Finder
‎06-08-2012 12:48 PM

I was able to get the time conversion to work. What I did was upgrade to splunk version 4.3.2 on the forwarder and indexer, added spaces around the "=" for the TZ variable, changed the timezone to "Africa/Casablanca", and I restarted the splunkd service on the indexer. I am not sure if all of those were required for the fix, but after I did all that the time conversions started working.

Here is the new props.conf config from the indexer for reference.

[iis-3]
pulldown_type = true 
MAX_TIMESTAMP_LOOKAHEAD = 32
SHOULD_LINEMERGE = False
REPORT-iis_referer = iis_referer
TRANSFORMS-comment = comment
TZ = Africa/Casablanca

View solution in original post

0 Karma
Reply