Getting Data In

Timezone isn't being set correctly

Path Finder

I have a log file with events that look like:

< Start >
Timestamp: 2/27/2015 8:34:14 PM
Information:
Message: Refresh Scheduler Started
Msg: Refresh Scheduler Started
MsgType: Info
Category: General
Priority: -1
EventId: 0
Severity: Information
Machine: SMLIMA
App Domain: Scheduler.exe
ProcessId: 13728
Win32 ThreadId:28176
< End >

The timestamp is using UTC when the server is using -5:00. I have created a props.conf file and having it on both the Universal Forwarder and my Indexer. The stanza looks like:

[limalog]
BREAK
ONLYBEFOREDATE = false
BREAKONLYBEFORE = < Start >
TZ = UTC

I have verified this stanza using 'splunk cmd btool props list lima_log' and it appears correct. However the event's timestamp when searching is +5:00 from what it should be.

What am I doing wrong?

If it matters, I am running Splunk 6.2.1.

Thank you in advance,

Jeremy

Tags (2)
0 Karma
1 Solution

Path Finder

I am not sure what I was looking at Friday as when I looked today the events' _time is correct.

Thank you for your help!

View solution in original post

0 Karma

Path Finder

I am not sure what I was looking at Friday as when I looked today the events' _time is correct.

Thank you for your help!

View solution in original post

0 Karma

Legend

You are telling Splunk that the data is in UTC! See line 4 of your stanza! You might want to set

TZ = America/Lima

or any other setting from the TZ database.

Because the Universal Forwarder does not parse the data, you only need the [lima_log] stanza on the indexer. Finally, a 6.2.1 forwarder will provide local time zone info when it sends data - so if the OS on the forwarder has the right time zone, you should not need the TZ setting at all. (Forwarders prior to Splunk 6 did not do this.)

0 Karma