Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Overriding TZ for source

mikelanghorst
Motivator
‎04-09-2012 04:00 PM

I have a JBoss/Tomcat access log that has an incorrect Timezone configuration, causing Splunk to set the time to an hour ahead.

172.21.138.35 - - [09/Apr/2012:15:51:56.783 -0800] "HEAD /index.html HTTP/1.1" 200 0

The server is correctly set at PDT, but something is setting this log to stay at -0800. The developer isn't sure where this is set, and would take some time to correct even when we do find the location. How do I properly change the time for this source? It occurs on several hosts (dev/test/staging/production), but only for this source file.

I've set props.conf on the indexer to:
[source::/my/app/path/localhost_access*]
TZ=PDT

Is this incorrect? It didn't change the behavior and I verified with btool that it's in effect.

Tags (1)
Reply

woodcock
Esteemed Legend
‎06-28-2015 08:48 PM

You should be able to use TZ_ALIAS like this:

TZ_ALIAS=-0800=PDT
0 Karma
Reply

dwaddle
SplunkTrust
SplunkTrust
‎04-09-2012 05:27 PM

Some additional things worth trying:

First, set an explicit TIME_FORMAT and MAX_TIMESTAMP_LOOKAHEAD in addition to a TZ for this source. Make the TIME_FORMAT and MAX_TIMESTAMP_LOOKAHEAD explicitly ignore the "-0800" bit, preferably by setting MAX_TIMESTAMP_LOOKAHEAD small enough to where the "-0800" part isn't considered.

If that doesn't work, as hideous as it is you could filter out the "-0800" using a SEDCMD. (I really hope it doesn't come to this)

Reply

mikelanghorst
Motivator
‎04-10-2012 08:22 AM

Used the data import function on my local instance to set this up. Looks like this will be the answer.

0 Karma
Reply

ChrisG
Splunk Employee
Splunk Employee
‎04-09-2012 04:26 PM

Splunk uses zoneinfo TZ database values (see http://docs.splunk.com/Documentation/Splunk/4.3.1/data/Applytimezoneoffsetstotimestamps and http://en.wikipedia.org/wiki/List_of_zoneinfo_timezones ). Did you try US/Pacific for the TZ value?

Reply

mikelanghorst
Motivator
‎04-09-2012 04:31 PM

Yes, I just tried TZ=US/Pacific, but no change.

» 4/9/12
5:29:41.000 PM

[09/Apr/2012:16:29:41 -0800] 172.27.140.119 user1 - HTTP/1.1 POST 200 8969 98 /app/unitSubstitution/loadJSON

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...