I have a JBoss/Tomcat access log that has an incorrect Timezone configuration, causing Splunk to set the time to an hour ahead.
172.21.138.35 - - [09/Apr/2012:15:51:56.783 -0800] "HEAD /index.html HTTP/1.1" 200 0
The server is correctly set at PDT, but something is setting this log to stay at -0800. The developer isn't sure where this is set, and would take some time to correct even when we do find the location. How do I properly change the time for this source? It occurs on several hosts (dev/test/staging/production), but only for this source file.
I've set props.conf on the indexer to:
[source::/my/app/path/localhost_access*]
TZ=PDT
Is this incorrect? It didn't change the behavior and I verified with btool that it's in effect.
You should be able to use TZ_ALIAS
like this:
TZ_ALIAS=-0800=PDT
Some additional things worth trying:
First, set an explicit TIME_FORMAT
and MAX_TIMESTAMP_LOOKAHEAD
in addition to a TZ
for this source. Make the TIME_FORMAT
and MAX_TIMESTAMP_LOOKAHEAD
explicitly ignore the "-0800" bit, preferably by setting MAX_TIMESTAMP_LOOKAHEAD
small enough to where the "-0800" part isn't considered.
If that doesn't work, as hideous as it is you could filter out the "-0800" using a SEDCMD. (I really hope it doesn't come to this)
Used the data import function on my local instance to set this up. Looks like this will be the answer.
Splunk uses zoneinfo TZ database values (see http://docs.splunk.com/Documentation/Splunk/4.3.1/data/Applytimezoneoffsetstotimestamps and http://en.wikipedia.org/wiki/List_of_zoneinfo_timezones ). Did you try US/Pacific for the TZ value?
Yes, I just tried TZ=US/Pacific, but no change.
» 4/9/12
5:29:41.000 PM
[09/Apr/2012:16:29:41 -0800] 172.27.140.119 user1 - HTTP/1.1 POST 200 8969 98 /app/unitSubstitution/loadJSON