Getting Data In

IIS Timezone Help

brandnew_users
Explorer

I think i'm going mad.

I'm a brand new user who's eval-ing splunk, seems powerful but i'd like to get all my logs in time order to show app + iis events together. I have a IIS 6.0 web and have manually imported the logs into splunk using the add data and choosing iis logs.

I've created a blank props.conf file in the \etc\local directory.

in that file is only this:

[iis-2] TZ = GMT

restart splunk and no change. I've also tried:

[sourcetype::iis-2]

TZ = GMT - even tried using Africa/Sao_Tome

i've also wildcarded the iis-2 with iis*.

Nothing seems to work. Do i need to delete all the data for the change to take affect? am i missing something -- very likely!

thanks in advance for any and all assistance!

Tags (2)
0 Karma
1 Solution

brandnew_users
Explorer

well i've found the answer. It seems that splunk does not go back and update any files (iis logs manually copied to the splunk server) that have been added previously to the props.conf change. I've added a new file and hey presto it has the timezone correct.

in case anyone else has this issue this worked for me:

--blank props.conf file

[iis-2] TZ = GMT

View solution in original post

brandnew_users
Explorer

well i've found the answer. It seems that splunk does not go back and update any files (iis logs manually copied to the splunk server) that have been added previously to the props.conf change. I've added a new file and hey presto it has the timezone correct.

in case anyone else has this issue this worked for me:

--blank props.conf file

[iis-2] TZ = GMT

proctorgeorge
Path Finder

I am a little confused at your setup, could you expand on it?

-Are you using a Indexer/Forwarder relationship or is this all on one box?

-Is "iis-2" a sourcetype? a source? a host?

If you can answer those then I may be able to help more, in the mean time I made a post about timezones in a different question, it may be able to help you HERE

Here is the excerpt from that post:

I had a pain syncing my timezones too, here is the info that helped me out:

First, you should note that the Splunk Indexer sets everything relative to its own time zone. Thus if you want to have the Logs be indexed based on CST, the indexers timezone must be set to CST. The Indexer gets its timezone info from the clock set on the machine its installed on, so to reiterate, the Indexer machines Time and Date settings should be set to CST if that is the timezone you want to base inputs off of. Yes, it is kinda annoying, w/e.

Secondly, all machines that are in a different time zone from your Indexer (anything not in CST) will need to have a TZ setting in props.conf. The TZ setting will be set to whatever timezone the forwarding host is in, thus if the Indexer is in CST and the Forwarder is in EST then the TZ set in props.conf on the Indexer for the Forwarder would be set to EST. Splunk will then figure out the difference between the two timezones and mark inputs accordingly.

I also noticed that you were not using correct TZ codes for the TZ setting, "GMT" is not a correct TZ code. The list of TZ codes can be found here: http://en.wikipedia.org/wiki/List_of_zoneinfo_timezones (Look under the TZ column)

0 Karma

brandnew_users
Explorer

First up thanks for responding.

I'm using a manual file copy while we eval the product. So copied the file from our IIS server to the test splunk server and then ran add new data (iis) and chose file on this server.

iis-2 is the sourcetype

for the TZ i've tried using GMT and using Africa/Sao_Tome but with no luck on either.

My question is, do i have to delete all the data and then readd splunk offset the time on all previously imported data?

If it does change all existing data then I must have something wrong with my props.conf file?

Thanks again

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...