Hi everyone. I have logs that are sent to me in Central Standard Time (-6 hours) but there isn't anything in the TA noting that, so all my logs look like they are 6 hours behind.
As such, I went in and added a props.conf in local
with the statement
[infoblox:dhcp]
TZ = CST
Pushed the updated TA through the cluster bundle on my cluster master to all indexers and verified they all received the updated TA. Looking at my latest logs (about 30 afterwards) I still see the latest logs showing up as 6 hours behind (no change). I ran btool to see which props settings were being picked up by the app and indeed it shows it there.
/opt/splunk/bin/splunk cmd btool --app=Splunk_TA_infoblox props list
[infoblox:dhcp]
EVAL-...
EXTRACT-...
TZ = CST
Any ideas? I feel like I'm overlooking something obvious.
"The sourcetype is named via a transforms, and then I am calling that name in props for the TZ fix."
Well, there's your issue. Splunk doesn't reiterate over props.conf after changing the sourcetype with a transforms. So you cannot do index time stuff like TZ using the sourcetype you set by transforms. You need to do it on the original sourcetype (or source or host).
At this point, I would go over to the universal forwarders and check how the timestamp is generated (is it in the . format?) and any timezone settings there, including timezone setting of the OS.
Try the following format
TZ = CST
Updated it to your suggestions, but events are still showing up as 6 hours behind. I haven't done a rolling restart as --check-restart
said it is not required, but at this point I'm not sure what else to try.
Are you sure that the problem isn't your user's Time zone
preference settting?
What he is using should work, but I agree with this.
Based on my searching last year - What is the TZ for America Central?
TZ=US/Central
seems to be deprecated and it should be TZ=America/Chicago
.
I changed it to what you have, repushed and it's showing up in btool. Unfortunately, logs are still showing up "6 hours behind" I appreciate the info on the deprecated naming scheme though!