Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

TimeZone setting not working for host set from host_regex?

woodcock
Esteemed Legend
‎05-29-2014 09:06 PM

This configuration is not working:

From inputs.conf

[monitor:///somepath/.csv]
host_regex = .([^])[^].csv(?:.gz)?$
sourcetype = somesourcetype

From props.conf:

[host::PR*]
TZ = US/Atlantic

The host is correctly being set but the TZ is not. Based on this (version 6.1, BTW), I am assuming that if the host value is set using "host_regex", then "host" cannot be used to start a stanza in props.conf, right? If not, why does this not work?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎06-03-2014 09:15 PM

OK, I figured it out.

This DOES NOT WORK:

[host::CH...|DA...|NV...]
TZ = US/Central

This DOES WORK:

[host::(CH...|DA...|NV...)]
TZ = US/Central

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎06-03-2014 09:15 PM

OK, I figured it out.

This DOES NOT WORK:

[host::CH...|DA...|NV...]
TZ = US/Central

This DOES WORK:

[host::(CH...|DA...|NV...)]
TZ = US/Central

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎05-30-2014 12:33 AM

Fair enough; my bad.
Even if I fix that, it still doesn't work.
I have another stanza like this which also does not work:

[host::IE*]
TZ = US/Pacific

0 Karma
Reply
Solved! Jump to solution

rsennett_splunk
Splunk Employee
Splunk Employee
‎05-29-2014 11:07 PM

Setting the TZ off of the host that has been set with host_regex is totally legit.

However... the Atlantic Standard Time Zone is a Not a US time zone... That's Quebec...

Atlantic Standard Time - Quebec - Lower North Shore (Canada) That's -4:00 with no DST

I imagine however based on the host example you are using that you're looking for Puerto Rico
America/Puerto_Rico which is also -4:00/-4:00 with no DST

http://en.wikipedia.org/wiki/List_of_tz_database_time_zones

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...