Getting Data In

TZ offset in props.conf not working

conorglynn
Explorer

My splunk forwarders are light forwarders, so I am setting my timezone offset for my web servers with the following on my splunk indexer, in my default app si_idx (/opt/splunk/etc/apps/si_idx/default/props.conf) I place the following:

[host::web*]
TZ = UTC

My web servers are logging in UTC, the event data is as follows:
10:53:24.699

2011-09-27 10:53:24,699 [27] DEBUG SPIN.Wholesale.Presentation.BL.Managers.ChannelRequestManager Channel d3ffba61-0f1a-4e4f-8536-24593a89090b requested at: 27/09/2011 10:53:24

and I wish the splunk timestamp to be one hour later (Europe/London).
The entry in props.conf above does not work when I restart splunk, the splunk timestamp is still in UTC. Where am I going wrong?
thanks, conor

Tags (2)

esalesapns2
Path Finder

I'm having the same issue in 7.3.2. System is logging in US/Eastern, Splunk is UTC. My props is based on source. Applied it on HF, and Indexer, no change to time setting.

0 Karma

ejenson_splunk
Splunk Employee
Splunk Employee

This is still an issue in version 6.5.2. If the sourcetype is defined in inputs and not reassigned in props/transforms it works fine.

0 Karma

vcarbona
Path Finder

After trial and error, it seems to work when I specify it without any spaces and then restart the indexer. Using $SPLUNK_HOME/etc/system/local/props.conf in 4.3.6 version:

[source::*\\mydata\\Log*]
TZ=UTC

yuvalba
Path Finder

I seem to be having the same issue. Setting TZ via [host::myhost] is not affecting while using the [source::mysource] is working. Were you able to get it to work using a host stanza?
PS. I am using Splunk 5.0.10

0 Karma

sloshburch
Splunk Employee
Splunk Employee

I noticed the same thing in splunk 6.1* flavors. I recall it was even reproducible while defining the sourcetype in the data inputs UI. If not done already, I would encourage you to create a support ticket. It's possible this is not a known issue.

0 Karma

richnavis
Contributor

We do it by source which works fine..
[source::\\SERVERNAME\prod-iislogs\...\...\u_ex*.log]
TZ = GMT

conorglynn
Explorer

thanks rnavis,
yes, I changed to setting the TZ by source in props.conf and it works just fine, for some reason the same thing did not work by host or sourcetype for me.
anyway, all well now, thanks, conor

tskinnerivsec
Contributor

Thank you, I was just banging my head on a data source with TZ command, I usually match on sourcetype and typically it works, in this case it did not (I think due to the fact that I was overriding the sourcetype field) matching this field on source did the trick for me.

0 Karma

conorglynn
Explorer

We have managed to sort out the times on our log4j clients at source, but I am still having problems getting the IIS logs to offset correctly, I have placed the following in props.conf on the Indexer but it having no effect:

[IIS]
TZ = UTC

does anybody have any info on getting IIS logs to offset to the correct Timezone on the indexer?

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...