Solved: Re: Props.conf timezone settings for Eastern? And ... - Page 2

hrithiktej · ‎09-22-2017

In our Slave-Apps directory on the 2 peers/indexers we have a custom app created by the prev admin which has setting for TZ to UTC for network devices that are on UTC. Now i am adding new data source (i.e. AD security logs) using UFs on DCs and our DCs are all in EST TZ and hence i would need to list EST TZ in the props.conf.

My Questions are

1) Is this the right stanza for EST time entry
[WinEventLog://Security]
TZ = US/Eastern

I understand i will have to do this on master-apps folder on cluster master and then apply config bundle

2) Will this require a reboot of any peers ?

mwdbhyat · ‎09-22-2017

Hi there,

1 - Yes thats correct

2 - Yes, the cluster master will initiate a restart of its cluster members once you apply the new cluster bundle. Please see here for what requires a restart and what doesnt..

http://docs.splunk.com/Documentation/Splunk/6.6.3/Indexer/Updatepeerconfigurations#Restart_or_reload...

View solution in original post

hrithiktej · ‎09-23-2017

Are you sure the time zone is right? or should it be EST?

mwdbhyat · ‎09-23-2017

Sure am:

http://docs.splunk.com/Documentation/Splunk/6.6.3/Admin/Propsconf --search for "The following example sets Eastern Time Zone"

hrithiktej · ‎09-23-2017

Ok yeah i see that but its not working for medid u see my props.conf in the below comment and also i am defining TZ by sourcetype and not host will that make a difference ?

hrithiktej · ‎09-23-2017

I tried with host entry as well it did not work , still when i go to last 4hrs only then i can see events otherwise in realtime search or last 15 or 60mins it does not show up

[host::dc1-corpdc01]
TZ = US/Eastern

Props.conf timezone settings for Eastern? And do I need to reboot any peers?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!