Getting Data In

Splunk not picking up on timezone set within props

DEAD_BEEF
Builder

Hi everyone. I have logs that are sent to me in Central Standard Time (-6 hours) but there isn't anything in the TA noting that, so all my logs look like they are 6 hours behind.

As such, I went in and added a props.conf in local with the statement

[infoblox:dhcp]
TZ = CST

Pushed the updated TA through the cluster bundle on my cluster master to all indexers and verified they all received the updated TA. Looking at my latest logs (about 30 afterwards) I still see the latest logs showing up as 6 hours behind (no change). I ran btool to see which props settings were being picked up by the app and indeed it shows it there.

/opt/splunk/bin/splunk cmd btool --app=Splunk_TA_infoblox props list

[infoblox:dhcp]
EVAL-...
EXTRACT-...
TZ = CST

Any ideas? I feel like I'm overlooking something obvious.

0 Karma
1 Solution

FrankVl
Ultra Champion

"The sourcetype is named via a transforms, and then I am calling that name in props for the TZ fix."

Well, there's your issue. Splunk doesn't reiterate over props.conf after changing the sourcetype with a transforms. So you cannot do index time stuff like TZ using the sourcetype you set by transforms. You need to do it on the original sourcetype (or source or host).

View solution in original post

arkadyz1
Builder

At this point, I would go over to the universal forwarders and check how the timestamp is generated (is it in the . format?) and any timezone settings there, including timezone setting of the OS.

0 Karma

hdbang_splunk
Splunk Employee
Splunk Employee

Try the following format

TZ = CST

DEAD_BEEF
Builder

Updated it to your suggestions, but events are still showing up as 6 hours behind. I haven't done a rolling restart as --check-restart said it is not required, but at this point I'm not sure what else to try.

0 Karma

woodcock
Esteemed Legend

Are you sure that the problem isn't your user's Time zone preference settting?

0 Karma

woodcock
Esteemed Legend

What he is using should work, but I agree with this.

ddrillic
Ultra Champion

Based on my searching last year - What is the TZ for America Central?

TZ=US/Central seems to be deprecated and it should be TZ=America/Chicago.

DEAD_BEEF
Builder

I changed it to what you have, repushed and it's showing up in btool. Unfortunately, logs are still showing up "6 hours behind" I appreciate the info on the deprecated naming scheme though!

0 Karma
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...