Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Overriding TZ for source

mikelanghorst
Motivator
‎04-09-2012 04:00 PM

I have a JBoss/Tomcat access log that has an incorrect Timezone configuration, causing Splunk to set the time to an hour ahead.

172.21.138.35 - - [09/Apr/2012:15:51:56.783 -0800] "HEAD /index.html HTTP/1.1" 200 0

The server is correctly set at PDT, but something is setting this log to stay at -0800. The developer isn't sure where this is set, and would take some time to correct even when we do find the location. How do I properly change the time for this source? It occurs on several hosts (dev/test/staging/production), but only for this source file.

I've set props.conf on the indexer to:
[source::/my/app/path/localhost_access*]
TZ=PDT

Is this incorrect? It didn't change the behavior and I verified with btool that it's in effect.

Tags (1)
Reply

woodcock
Esteemed Legend
‎06-28-2015 08:48 PM

You should be able to use TZ_ALIAS like this:

TZ_ALIAS=-0800=PDT
0 Karma
Reply

dwaddle
SplunkTrust
SplunkTrust
‎04-09-2012 05:27 PM

Some additional things worth trying:

First, set an explicit TIME_FORMAT and MAX_TIMESTAMP_LOOKAHEAD in addition to a TZ for this source. Make the TIME_FORMAT and MAX_TIMESTAMP_LOOKAHEAD explicitly ignore the "-0800" bit, preferably by setting MAX_TIMESTAMP_LOOKAHEAD small enough to where the "-0800" part isn't considered.

If that doesn't work, as hideous as it is you could filter out the "-0800" using a SEDCMD. (I really hope it doesn't come to this)

Reply

mikelanghorst
Motivator
‎04-10-2012 08:22 AM

Used the data import function on my local instance to set this up. Looks like this will be the answer.

0 Karma
Reply

ChrisG
Splunk Employee
Splunk Employee
‎04-09-2012 04:26 PM

Splunk uses zoneinfo TZ database values (see http://docs.splunk.com/Documentation/Splunk/4.3.1/data/Applytimezoneoffsetstotimestamps and http://en.wikipedia.org/wiki/List_of_zoneinfo_timezones ). Did you try US/Pacific for the TZ value?

Reply

mikelanghorst
Motivator
‎04-09-2012 04:31 PM

Yes, I just tried TZ=US/Pacific, but no change.

» 4/9/12
5:29:41.000 PM

[09/Apr/2012:16:29:41 -0800] 172.27.140.119 user1 - HTTP/1.1 POST 200 8969 98 /app/unitSubstitution/loadJSON

0 Karma
Reply
Get Updates on the Splunk Community!

New Year. New Skills. New Course Releases from Splunk Education

A new year often inspires reflection—and reinvention. Whether your goals include strengthening your security ...

Splunk and TLS: It doesn't have to be too hard

Overview Creating a TLS cert for Splunk usage is pretty much standard openssl.  To make life better, use an ...

Faster Insights with AI, Streamlined Cloud-Native Operations, and More New Lantern ...

Splunk Lantern is a Splunk customer success center that provides practical guidance from Splunk experts on key ...