Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Standard timezone recognition in Splunk

leatherface
Explorer
‎12-16-2013 11:17 AM

We are pulling in log lines from our customers from a wide variety of time zones. The lines start with:

INFO  : 16 Dec 2013 09:49:47,123 AKST

Note that we are getting the logs in via the STOMP protocol and plugin, so there is no Universal Forwarder to configure - the STOMP plugin just pulls the logs as individual lines of text.

So the issue we are experiencing is that with some of the more unusual (but still totally standard) time zones, Splunk is failing to understand the time zone so that data ends up being imported in the future or the past (in the example above, it thinks the Alaskan Standard Time zone is GMT-1 rather than GMT-8). From various searches I understand I can set a TZ_ALIAS for these edge cases. However, it seems a little odd that Splunk only understands a subset of all standard time zone acronyms - am I missing something to get this working out-of-box for all time zones. At the very least. is there a way I can find out which time zones Splunk will/will not understand (so I can set them up ahead of time)?

Thanks in advance for any and all help!

Tags (1)
0 Karma
Reply

dbylertbg
Path Finder
‎07-03-2014 12:04 PM

The official answer can be found here, quoted below:

zoneinfo (TZ) database

The zoneinfo database is a publicly
maintained database of time zone
values.

UNIX versions of Splunk rely on a TZ database included with the UNIX
distribution you're running on. Most
UNIX distributions store the database
in the directory: /usr/share/zoneinfo.

Solaris versions of Splunk store TZ information in this directory:
/usr/share/lib/zoneinfo.

Windows versions of Splunk ship with a copy of the TZ database.

Refer to the zoneinfo (TZ) database
for all permissible TZ values.

Unfortunately the Wikipedia page the docs link to is less than helpful as it doesn't actually list the acceptable abbreviations for each time zone. This article lists abbreviations and includes AKST... but it's still not clear if this list is one that Splunk considers valid.

Since I'm running on linux, I decided to check /usr/share/zoneinfo/America/Anchorage. But that's not helpful either... it's a binary file.

Searching the contents of $SPLUNK_HOME for some common timezone abbreviations led me to the file:

$Splunk_Home/etc/datetime.xml

... whose header comment states:

<!-- This file contains the general formulas for parsing date/time formats. -->

Starting at line 49 it contains the following list:

<define name="_zone" extract="zone">
     <text><![CDATA[((?:(?:UT|UTC|GMT(?![+-])|CET|CEST|CETDST|MET|MEST|METDST|MEZ|MESZ|EET|EEST|EETDST|WET|WEST|WETDST|MSK|MSD|IST|JST|KST|HKT|AST|ADT|EST|EDT|CST|CDT|MST|MDT|PST|PDT|CAST|CADT|EAST|EADT|WAST|WADT|Z)|(?:GMT)?[+-]\d\d?:?(?:\d\d)?)(?!\w))?]]></text>
</define>

So... I can't say for sure but it looks like this may be the list of timezones Splunk will automatically recognize??? I'll also submit feedback to the doc team asking for clarification and linking to this thread.

0 Karma
Reply
Register for .conf25!
Get Updates on the Splunk Community!

Why You Can't Miss .conf25: Unleashing the Power of Agentic AI with Splunk & Cisco

The Defining Technology Movement of Our Lifetime The advent of agentic AI is arguably the defining technology ...

Deep Dive into Federated Analytics: Unlocking the Full Power of Your Security Data

In today’s complex digital landscape, security teams face increasing pressure to protect sprawling data across ...

Your summer travels continue with new course releases

Summer in the Northern hemisphere is in full swing, and is often a time to travel and explore. If your summer ...