Getting Data In

Setting Timezone based on hostname extracted with regex

Krishna_R
Path Finder

I have to upload data from different sources (collected manually) and upload to a splunk indexer. The files are copied to the server with corresponding details & timezone (such as US_Pacific etc) in the path.

'host' field is extracted thru host_regex in my inputs.conf file, and part of it is the timezone. e.g. hostname could abc\tz_US_Pacific or xyz\tz_US_Eastern. (the abc and xyz relate to some other fields).

I'm trying to set the TZ using the props.conf as follows:

[host::*tz_US_Pacific] TZ = US/Pacific

[mysourcetype] EXTRACT-...

The Timezone offset is never applied (I have more hosts with Eastern time etc.) and all the logs are indexed with TZ as the local timezone for the Splunk server (which is IST).

Am I missing something here? Do I have to change the order of setting Timezone?

Tags (1)
1 Solution

hulahoop
Splunk Employee
Splunk Employee

Unfortunately it is not possible to configure a host extraction then a timezone based on the host extraction. A suggested workaround is to change the logging convention to write the files to directories by host then apply timezone settings by source.

There is a similar discussion with additional details here: How to Set Timezone in an Advanced Configuration?

View solution in original post

hulahoop
Splunk Employee
Splunk Employee

Unfortunately it is not possible to configure a host extraction then a timezone based on the host extraction. A suggested workaround is to change the logging convention to write the files to directories by host then apply timezone settings by source.

There is a similar discussion with additional details here: How to Set Timezone in an Advanced Configuration?

BP9906
Builder

This was my exact issue, I had rsyslog feeding 1 log from many servers. I changed rsyslog.conf to be:
$template DynaFile,"/var/log/file-%programname%.log"
local3.* -?DynaFile

I was then able to create source type stanzas to use TZ= for timezone and host field renaming via transforms.

Thank you!

0 Karma

Krishna_R
Path Finder

Agreed 100%.. I'm adding many stanzas each for different TZ...

0 Karma

hulahoop
Splunk Employee
Splunk Employee

Awesome, glad it worked out. I wish we could just make it possible to set TZ on extracted sourcetypes. 🙂

0 Karma

Krishna_R
Path Finder

I was able to accomplish it by using the source field.. Using 2 different stanzas, 1 for sourcetype and another for TZ works fine.
Thanks!

0 Karma

Krishna_R
Path Finder

Thanks for the quick response. Do you mean to use the source path to set the TZ offset?
I already extract the sourcetype from another part of the path (the path is quite long thanks to all the metadata fields in the path).
So, I already have
[source::...\mysourcetype\...?]
sourcetype = mysourcetype
as a stanza in props.conf. If I add one more as below, would both of them be applied for the same source file or only one of them?
[source::...\tz_US_Pacific\...]
TZ = US/Pacific

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...