Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Props.conf timezone settings for Eastern? And do I need to reboot any peers?

hrithiktej
Communicator
‎09-22-2017 11:26 AM

In our Slave-Apps directory on the 2 peers/indexers we have a custom app created by the prev admin which has setting for TZ to UTC for network devices that are on UTC. Now i am adding new data source (i.e. AD security logs) using UFs on DCs and our DCs are all in EST TZ and hence i would need to list EST TZ in the props.conf.

My Questions are

1) Is this the right stanza for EST time entry
[WinEventLog://Security]
TZ = US/Eastern

I understand i will have to do this on master-apps folder on cluster master and then apply config bundle

2) Will this require a reboot of any peers ?

Reply
1 Solution
Solved! Jump to solution
Solution

mwdbhyat
Builder
‎09-22-2017 12:22 PM

Hi there,

1 - Yes thats correct

2 - Yes, the cluster master will initiate a restart of its cluster members once you apply the new cluster bundle. Please see here for what requires a restart and what doesnt..

http://docs.splunk.com/Documentation/Splunk/6.6.3/Indexer/Updatepeerconfigurations#Restart_or_reload...

View solution in original post

Reply
Solved! Jump to solution

hrithiktej
Communicator
‎09-23-2017 08:45 AM

Are you sure the time zone is right? or should it be EST?

0 Karma
Reply
Solved! Jump to solution

mwdbhyat
Builder
‎09-23-2017 09:15 AM

Sure am:

http://docs.splunk.com/Documentation/Splunk/6.6.3/Admin/Propsconf --search for "The following example sets Eastern Time Zone"

0 Karma
Reply
Solved! Jump to solution

hrithiktej
Communicator
‎09-23-2017 11:52 AM

Ok yeah i see that but its not working for medid u see my props.conf in the below comment and also i am defining TZ by sourcetype and not host will that make a difference ?

0 Karma
Reply
Solved! Jump to solution

hrithiktej
Communicator
‎09-23-2017 12:03 PM

I tried with host entry as well it did not work , still when i go to last 4hrs only then i can see events otherwise in realtime search or last 15 or 60mins it does not show up

[host::dc1-corpdc01]
TZ = US/Eastern

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...