Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Overriding TZ for source

mikelanghorst
Motivator
‎04-09-2012 04:00 PM

I have a JBoss/Tomcat access log that has an incorrect Timezone configuration, causing Splunk to set the time to an hour ahead.

172.21.138.35 - - [09/Apr/2012:15:51:56.783 -0800] "HEAD /index.html HTTP/1.1" 200 0

The server is correctly set at PDT, but something is setting this log to stay at -0800. The developer isn't sure where this is set, and would take some time to correct even when we do find the location. How do I properly change the time for this source? It occurs on several hosts (dev/test/staging/production), but only for this source file.

I've set props.conf on the indexer to:
[source::/my/app/path/localhost_access*]
TZ=PDT

Is this incorrect? It didn't change the behavior and I verified with btool that it's in effect.

Tags (1)
Reply

woodcock
Esteemed Legend
‎06-28-2015 08:48 PM

You should be able to use TZ_ALIAS like this:

TZ_ALIAS=-0800=PDT
0 Karma
Reply

dwaddle
SplunkTrust
SplunkTrust
‎04-09-2012 05:27 PM

Some additional things worth trying:

First, set an explicit TIME_FORMAT and MAX_TIMESTAMP_LOOKAHEAD in addition to a TZ for this source. Make the TIME_FORMAT and MAX_TIMESTAMP_LOOKAHEAD explicitly ignore the "-0800" bit, preferably by setting MAX_TIMESTAMP_LOOKAHEAD small enough to where the "-0800" part isn't considered.

If that doesn't work, as hideous as it is you could filter out the "-0800" using a SEDCMD. (I really hope it doesn't come to this)

Reply

mikelanghorst
Motivator
‎04-10-2012 08:22 AM

Used the data import function on my local instance to set this up. Looks like this will be the answer.

0 Karma
Reply

ChrisG
Splunk Employee
Splunk Employee
‎04-09-2012 04:26 PM

Splunk uses zoneinfo TZ database values (see http://docs.splunk.com/Documentation/Splunk/4.3.1/data/Applytimezoneoffsetstotimestamps and http://en.wikipedia.org/wiki/List_of_zoneinfo_timezones ). Did you try US/Pacific for the TZ value?

Reply

mikelanghorst
Motivator
‎04-09-2012 04:31 PM

Yes, I just tried TZ=US/Pacific, but no change.

» 4/9/12
5:29:41.000 PM

[09/Apr/2012:16:29:41 -0800] 172.27.140.119 user1 - HTTP/1.1 POST 200 8969 98 /app/unitSubstitution/loadJSON

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Observability Simplified: Combining User Experience, Application Performance & ...

Tech Talk Observability Simplified: Combining User Experience, Application Performance & Network ...

Event Series May & June: From Network Visibility to Service Intelligence

Unifying the Network: Moving from Alert Noise to Service Intelligence with Splunk ITSI In today’s hybrid ...