Getting Data In

Is it possible to set the TZ in props.conf on a Universal Forwarder?

echalex
Builder

Hi,

I have an issue with a sourcetype that logs in UTC/GMT but does not include TZ information, so I would like to set this per sourcetype on the forwarder. Based on this question, it should be possible, but it's just not working for me. The servers themselves are set to GMT+01:00 and other sourcetypes are working well. However, these other sourcetypes also include the zone in the time stamp. I've tried setting it by sourcetype and by source. I've also tried several forms of TZ, but nothing seems to work. I'm using Splunk 6.2.1

Tried this:

[source::...fubar.log]
# also tried source::.../fubar.log and source::/opt/path/to/fubar.log
TZ=GMT

and this:

[fubar]
TZ=GMT (and UTC and GMT+00:00 and UTC+00:00)

and all kinds of combinations... Nothing seems to work. I can't set the TZ for the host, since there are several sourcetypes with different time zones. I can't really set it on the indexer per sourcetype, because I have no control of the file itself. Any help is appreciated, but is it even possible to do this on the forwarder?

0 Karma

woodcock
Esteemed Legend

Yes, as of v6.0 the 3rd highest precedence for timezone is the TZ value in props.conf on the forwarder (the highest is TZ_ALIAS and the 2nd highest is TZ inside the event). You need to restart the splunk instances on the forwarders and the change will only apply to data that is forwarders AFTER the configuration is in place (previously forwarded data is immutable and will stay "wrong").

0 Karma

echalex
Builder

Thanks, but as far as I can tell, I've done what you suggested. TZ has been set and the forwarders restarted. Still, the time in Splunk remains the same time as in the file(s)

0 Karma

woodcock
Esteemed Legend

You need to upgrade your forwarder. The documentation here:

http://docs.splunk.com/Documentation/SplunkCloud/6.6.3/Data/Applytimezoneoffsetstotimestamps

says this:

If the forwarder and the receiving indexer are version 6.0 or later, use the time zone that the forwarder provides.

Then bounce your forwarder's Splunk instance(s).

0 Karma

inventsekar
Ultra Champion

maybe, if possible, try host-wise instead of source-wise.
not sure of this, but, did you try "TZ=GMT" and "TZ = GMT"(with spaces)

Note: If you have Splunk Enterprise and you change the time zone setting of the host machine, you must restart Splunk Enterprise for the software to detect the change.

The first example sets the time zone to US/Eastern for any events coming from hosts whose names match the regular expression nyc.*:

[host::nyc*]
TZ = US/Eastern

The second example sets the time zone to US/Pacific for any events coming from sources in the path /mnt/ca/...:

[source::/mnt/ca/...]
TZ = US/Pacific

http://docs.splunk.com/Documentation/Splunk/6.4.3/Data/Applytimezoneoffsetstotimestamps

0 Karma

echalex
Builder

I'm afraid I don't have the option of setting the TZ host-wise, because of the reasons outlined above.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...