My splunk forwarders are light forwarders, so I am setting my timezone offset for my web servers with the following on my splunk indexer, in my default app si_idx (/opt/splunk/etc/apps/si_idx/default/props.conf) I place the following:
[host::web*]
TZ = UTC
My web servers are logging in UTC, the event data is as follows:
10:53:24.699
2011-09-27 10:53:24,699 [27] DEBUG SPIN.Wholesale.Presentation.BL.Managers.ChannelRequestManager Channel d3ffba61-0f1a-4e4f-8536-24593a89090b requested at: 27/09/2011 10:53:24
and I wish the splunk timestamp to be one hour later (Europe/London).
The entry in props.conf above does not work when I restart splunk, the splunk timestamp is still in UTC. Where am I going wrong?
thanks, conor
I'm having the same issue in 7.3.2. System is logging in US/Eastern, Splunk is UTC. My props is based on source. Applied it on HF, and Indexer, no change to time setting.
This is still an issue in version 6.5.2. If the sourcetype is defined in inputs and not reassigned in props/transforms it works fine.
After trial and error, it seems to work when I specify it without any spaces and then restart the indexer. Using $SPLUNK_HOME/etc/system/local/props.conf in 4.3.6 version:
[source::*\\mydata\\Log*]
TZ=UTC
I seem to be having the same issue. Setting TZ via [host::myhost] is not affecting while using the [source::mysource] is working. Were you able to get it to work using a host stanza?
PS. I am using Splunk 5.0.10
I noticed the same thing in splunk 6.1* flavors. I recall it was even reproducible while defining the sourcetype in the data inputs UI. If not done already, I would encourage you to create a support ticket. It's possible this is not a known issue.
We do it by source which works fine..
[source::\\SERVERNAME\prod-iislogs\...\...\u_ex*.log]
TZ = GMT
thanks rnavis,
yes, I changed to setting the TZ by source in props.conf and it works just fine, for some reason the same thing did not work by host or sourcetype for me.
anyway, all well now, thanks, conor
Thank you, I was just banging my head on a data source with TZ command, I usually match on sourcetype and typically it works, in this case it did not (I think due to the fact that I was overriding the sourcetype field) matching this field on source did the trick for me.
We have managed to sort out the times on our log4j clients at source, but I am still having problems getting the IIS logs to offset correctly, I have placed the following in props.conf on the Indexer but it having no effect:
[IIS]
TZ = UTC
does anybody have any info on getting IIS logs to offset to the correct Timezone on the indexer?