I have to upload data from different sources (collected manually) and upload to a splunk indexer. The files are copied to the server with corresponding details & timezone (such as US_Pacific etc) in the path.
'host' field is extracted thru host_regex in my inputs.conf file, and part of it is the timezone. e.g. hostname could abc\tz_US_Pacific or xyz\tz_US_Eastern. (the abc and xyz relate to some other fields).
I'm trying to set the TZ using the props.conf as follows:
[host::*tz_US_Pacific] TZ = US/Pacific
[mysourcetype] EXTRACT-...
The Timezone offset is never applied (I have more hosts with Eastern time etc.) and all the logs are indexed with TZ as the local timezone for the Splunk server (which is IST).
Am I missing something here? Do I have to change the order of setting Timezone?
Unfortunately it is not possible to configure a host extraction then a timezone based on the host extraction. A suggested workaround is to change the logging convention to write the files to directories by host then apply timezone settings by source.
There is a similar discussion with additional details here: How to Set Timezone in an Advanced Configuration?
Unfortunately it is not possible to configure a host extraction then a timezone based on the host extraction. A suggested workaround is to change the logging convention to write the files to directories by host then apply timezone settings by source.
There is a similar discussion with additional details here: How to Set Timezone in an Advanced Configuration?
This was my exact issue, I had rsyslog feeding 1 log from many servers. I changed rsyslog.conf to be:
$template DynaFile,"/var/log/file-%programname%.log"
local3.* -?DynaFile
I was then able to create source type stanzas to use TZ= for timezone and host field renaming via transforms.
Thank you!
Agreed 100%.. I'm adding many stanzas each for different TZ...
Awesome, glad it worked out. I wish we could just make it possible to set TZ on extracted sourcetypes. 🙂
I was able to accomplish it by using the source field.. Using 2 different stanzas, 1 for sourcetype and another for TZ works fine.
Thanks!
Thanks for the quick response. Do you mean to use the source path to set the TZ offset?
I already extract the sourcetype from another part of the path (the path is quite long thanks to all the metadata fields in the path).
So, I already have
[source::...\mysourcetype\...?]
sourcetype = mysourcetype
as a stanza in props.conf. If I add one more as below, would both of them be applied for the same source file or only one of them?
[source::...\tz_US_Pacific\...]
TZ = US/Pacific