Getting Data In

Time zone recognition still doesn't work after editing props.conf

greg
Communicator

Splunk 4.3 is installed locally on my Windows computer where time zone is set correctly.
I have timestamps formatted like this: 2012-01-01 12:00:00 ...log data...

My ...\etc\system\local\props.conf is:

 [source::...\\*Statistics\\...\\*.log*] 
    TIME_FORMAT=%Y-%m-%d %H:%M:%S  
    TZ=Europe/Moscow  
    MAX_TIMESTAMP_LOOKAHEAD=30

and my logs are stored according to the path mask specified under source stanza
(say, D:\Data\Statistics\Db\Transactions.log).

After restarting Splunk with such settings I still have GMT+3 instead of GMT+4.
Incorrectly shifted timestamps are displayed on summary page and in every report table where _time field is present.

I managed to fix this problem in 4.2 simply by editing props.conf.
Strange, but after installing 4.3 it came again.

What should I check and correct in addition to props.conf?
Did something change in 4.3, maybe .conf file location or settings format?

--
UPDATE:
Since November, 2014 we are back in GMT+3 in Moscow (RTZ2 timezone) with no further switch to daylight time.
So, the problem is no longer actual and not reproduced (Splunk 6.1).

However, the workaround below could be useful for somebody with similar problem.

Tags (2)
0 Karma
1 Solution

greg
Communicator

I went further in my investigation and found some interesting things:

  1. If I remove props.conf at all, event timestamps become correct (UTC +04:00).
    In the mean time, timestamps on search summary page are still off by an hour (UTC +03:00).

  2. If I change Windows time zone, say, to "Abu Dhabi/Muscat" (UTC +04:00), timestamps on summary page turn to their correct values.

So I can conclude there are incorrect time zone mappings in Splunk for Moscow time zone.
The workaround for me was to set computer time zone to "Abu Dhabi/Muscat" (UTC +04:00), but it doesn't look very nice.

-- P.S. --

How can I check the timezone offset for Europe/Moscow in Splunk 4.3?

Question to Splunk guys:Is it a bug in Splunk timezone package (Moscow is now in UTC +04:00 with "no upcoming Daylight Saving Time changes" (c))?

View solution in original post

astepanov
Explorer

I join to greg question for Splunk guys: Is it a bug in Splunk timezone package (Moscow is now in UTC +04:00 with "no upcoming Daylight Saving Time changes" (c))?

Such bug would make event correlation through different time zones unreachable.

0 Karma

greg
Communicator

I went further in my investigation and found some interesting things:

  1. If I remove props.conf at all, event timestamps become correct (UTC +04:00).
    In the mean time, timestamps on search summary page are still off by an hour (UTC +03:00).

  2. If I change Windows time zone, say, to "Abu Dhabi/Muscat" (UTC +04:00), timestamps on summary page turn to their correct values.

So I can conclude there are incorrect time zone mappings in Splunk for Moscow time zone.
The workaround for me was to set computer time zone to "Abu Dhabi/Muscat" (UTC +04:00), but it doesn't look very nice.

-- P.S. --

How can I check the timezone offset for Europe/Moscow in Splunk 4.3?

Question to Splunk guys:Is it a bug in Splunk timezone package (Moscow is now in UTC +04:00 with "no upcoming Daylight Saving Time changes" (c))?

Drainy
Champion

Any changes you make to this will only take effect on newly indexed data.

One area to check would be to run this command (from the splunk/bin directory),

./splunk cmd btool props list --debug

This will output every props statement currently in effect with the debug command adding a prefix to each line that has the name of the app responsible to help identify what is causing it. Its possible something else in 4.3 is overriding your setting.

0 Karma

greg
Communicator

Thanks for this command, I found my config section in the output and it looks OK. Still trying to figure out where the problem is.
Newly indexed data keeps coming with incorrect time zone.

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...