Getting Data In
Highlighted

Props.conf timezone settings for Eastern? And do I need to reboot any peers?

Communicator

In our Slave-Apps directory on the 2 peers/indexers we have a custom app created by the prev admin which has setting for TZ to UTC for network devices that are on UTC. Now i am adding new data source (i.e. AD security logs) using UFs on DCs and our DCs are all in EST TZ and hence i would need to list EST TZ in the props.conf.

My Questions are

1) Is this the right stanza for EST time entry
[WinEventLog://Security]
TZ = US/Eastern

I understand i will have to do this on master-apps folder on cluster master and then apply config bundle

2) Will this require a reboot of any peers ?

0 Karma
Highlighted

Re: Props.conf timezone settings for Eastern? And do I need to reboot any peers?

Builder

Hi there,

1 - Yes thats correct

2 - Yes, the cluster master will initiate a restart of its cluster members once you apply the new cluster bundle. Please see here for what requires a restart and what doesnt..

http://docs.splunk.com/Documentation/Splunk/6.6.3/Indexer/Updatepeerconfigurations#Restart_or_reload...

View solution in original post

0 Karma
Highlighted

Re: Props.conf timezone settings for Eastern? And do I need to reboot any peers?

Communicator

Are you sure the time zone is right? or should it be EST?

0 Karma
Highlighted

Re: Props.conf timezone settings for Eastern? And do I need to reboot any peers?

Builder

Sure am:

http://docs.splunk.com/Documentation/Splunk/6.6.3/Admin/Propsconf --search for "The following example sets Eastern Time Zone"

0 Karma
Highlighted

Re: Props.conf timezone settings for Eastern? And do I need to reboot any peers?

Communicator

Ok yeah i see that but its not working for medid u see my props.conf in the below comment and also i am defining TZ by sourcetype and not host will that make a difference ?

0 Karma
Highlighted

Re: Props.conf timezone settings for Eastern? And do I need to reboot any peers?

Communicator

I tried with host entry as well it did not work , still when i go to last 4hrs only then i can see events otherwise in realtime search or last 15 or 60mins it does not show up

[host::dc1-corpdc01]
TZ = US/Eastern

0 Karma
Highlighted

Re: Props.conf timezone settings for Eastern? And do I need to reboot any peers?

Communicator

This is my props.conf on indexers

[cisco:asa]
TZ = UTC

[cisco:ise:syslog]
TZ = UTC

[cisco:acs]
TZ = UTC

[cisco:ios]
TZ = UTC

[cisco:sourcefire]
TZ = UTC

[f5:bigip:syslog]
TZ = UTC

[pan:log]
TZ = UTC

[WinEventLog://Security]
TZ = US/Eastern

[catchall:catchall]
TZ = UTC

it is not working for events that are coming for [WinEventLog://Security] because if i search for last 15mins or 60 mins i dont get results ONLY when i select last 4hours i can see results. I also tried switching my user time zone from UTC to EST through settings>users>my user timezone as EST and log out/login but still the same issue.

And I have installed SplunkTAwindows on my UF that sits on DC

Any help will be appreciated

0 Karma
Highlighted

Re: Props.conf timezone settings for Eastern? And do I need to reboot any peers?

Builder

What happens if you dont apply a TZ ? What time are you getting for your sourcetype then?

0 Karma
Highlighted

Re: Props.conf timezone settings for Eastern? And do I need to reboot any peers?

Communicator

Same. I did not apply a TZ before only when this issue started i realised i should enter TZ in props.conf and entering did not make a difference. I also tried entering TZ by creating a props.conf in UFs local but no joy

0 Karma
Highlighted

Re: Props.conf timezone settings for Eastern? And do I need to reboot any peers?

Builder

Can you send me an example of the search you are running and a snip of the results?

0 Karma