Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Is it possible to set the TZ in props.conf on a Universal Forwarder?

echalex
Builder
‎09-20-2016 01:39 AM

Hi,

I have an issue with a sourcetype that logs in UTC/GMT but does not include TZ information, so I would like to set this per sourcetype on the forwarder. Based on this question, it should be possible, but it's just not working for me. The servers themselves are set to GMT+01:00 and other sourcetypes are working well. However, these other sourcetypes also include the zone in the time stamp. I've tried setting it by sourcetype and by source. I've also tried several forms of TZ, but nothing seems to work. I'm using Splunk 6.2.1

Tried this:

[source::...fubar.log]
# also tried source::.../fubar.log and source::/opt/path/to/fubar.log
TZ=GMT

and this:

[fubar]
TZ=GMT (and UTC and GMT+00:00 and UTC+00:00)

and all kinds of combinations... Nothing seems to work. I can't set the TZ for the host, since there are several sourcetypes with different time zones. I can't really set it on the indexer per sourcetype, because I have no control of the file itself. Any help is appreciated, but is it even possible to do this on the forwarder?

0 Karma
Reply

woodcock
Esteemed Legend
‎09-20-2016 07:18 AM

Yes, as of v6.0 the 3rd highest precedence for timezone is the TZ value in props.conf on the forwarder (the highest is TZ_ALIAS and the 2nd highest is TZ inside the event). You need to restart the splunk instances on the forwarders and the change will only apply to data that is forwarders AFTER the configuration is in place (previously forwarded data is immutable and will stay "wrong").

0 Karma
Reply

echalex
Builder
‎09-21-2016 07:06 AM

Thanks, but as far as I can tell, I've done what you suggested. TZ has been set and the forwarders restarted. Still, the time in Splunk remains the same time as in the file(s)

0 Karma
Reply

woodcock
Esteemed Legend
‎12-01-2017 06:51 AM

You need to upgrade your forwarder. The documentation here:

http://docs.splunk.com/Documentation/SplunkCloud/6.6.3/Data/Applytimezoneoffsetstotimestamps

says this:

If the forwarder and the receiving indexer are version 6.0 or later, use the time zone that the forwarder provides.

Then bounce your forwarder's Splunk instance(s).

0 Karma
Reply

inventsekar
SplunkTrust
SplunkTrust
‎09-20-2016 02:20 AM

maybe, if possible, try host-wise instead of source-wise.
not sure of this, but, did you try "TZ=GMT" and "TZ = GMT"(with spaces)

Note: If you have Splunk Enterprise and you change the time zone setting of the host machine, you must restart Splunk Enterprise for the software to detect the change.

The first example sets the time zone to US/Eastern for any events coming from hosts whose names match the regular expression nyc.*:

[host::nyc*]
TZ = US/Eastern

The second example sets the time zone to US/Pacific for any events coming from sources in the path /mnt/ca/...:

[source::/mnt/ca/...]
TZ = US/Pacific

http://docs.splunk.com/Documentation/Splunk/6.4.3/Data/Applytimezoneoffsetstotimestamps

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma
Reply

echalex
Builder
‎09-20-2016 05:21 AM

I'm afraid I don't have the option of setting the TZ host-wise, because of the reasons outlined above.

0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

For the past four years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...

Data-Driven Success: Splunk & Financial Services

Splunk streamlines the process of extracting insights from large volumes of data. In this fast-paced world, ...