Getting Data In

Timezone conversion issue on HF

bkumarm
Contributor

We have a HF in UTC timezone that is received log events from an Universal Forwarder running on EDT timezone.
The log events are in UTC timezone.
The HF is configured in non-indexer mode (Indexandforward = false in props.conf ) and
the HF is forwarding the events into an external application attaching a header (Time, hostname)

The issues is:
The time that HF is attaching is in EDT timezone. we want this to be in UTC timezone.

Anyone faced this kind of issue? please suggest solutions.

Below are config details:
props.conf
[mysourcetype]
TRANSFORMS-route_log = route_log_external

transforms.conf
[route_log_external]
REGEX = .
DEST_KEY = _SYSLOG_ROUTING
FORMAT = external_out

outputs.conf
[syslog]
defaultGroup = none
maxEventSize = 50000

[syslog:external_out]
server = 127.0.0.1:12121
type = tcp
timestampformat = %b %e %H:%M:%S

0 Karma
1 Solution

Raschko
Communicator

Have you set the timezone on the first HF to EDT for this input stanza?

props.conf :

TZ = <timezone identifier>

If the timezone is in the log events, Splunk will use this timezone (from props.conf Splunk docs).

View solution in original post

0 Karma

ddrillic
Ultra Champion

You are saying -
-- The log events are in UTC timezone.

So, the time in the log events is not in the format of -0500, GMT, right? otherwise you would have received the events in the UTC timezone.

You should probably "force" the timezone at the forwarder level.

0 Karma

bkumarm
Contributor

Yes, we do not get log events in the format -0500, GMT
could you please explain how to "force" the timezone at UF level? and how would that affect when event is forwarded again from HF?

0 Karma

ddrillic
Ultra Champion

If the log event can have an explicit time zone then it's obviously the best choice.
If not, then apparently props.conf on the indexer is the proper place to "force" it.

0 Karma

Raschko
Communicator

Have you set the timezone on the first HF to EDT for this input stanza?

props.conf :

TZ = <timezone identifier>

If the timezone is in the log events, Splunk will use this timezone (from props.conf Splunk docs).

0 Karma

bkumarm
Contributor

We don't have any TZ specified in props.conf on the UF at the source.
I have updated the description above with additional info.

0 Karma

Raschko
Communicator

Please try to set one in props.conf as I described above using your timezone identifier for EDT.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...