By way of a light forwarder, I'm receiving IIS Logs in W3C Extended Format from 5 boxes which logs events in GMT time - there's no way to change timezones when using this format with IIS.
Because our Splunk Server lives in a GMT+10 timezone, and all our other sourcetypes/events are logged in the servers TZ, we have set up a props.conf file under C:\Program Files\Splunk\etc\system\local with the following entry at top of file to specifically handle IIS logs:
We've also tried:
[IIS*] TZ = America/Los_Angeles
It seems no matter what I try, I just can't get Splunk to treat my logs correctly. This is a MAJOR problem because it makes them totally unusable in a real time context. The net effect is all entries appear 10 hours into the future.
Have you seen this yourself ? How did you fix it ??
Mine is simply this:
[default] TZ = US/Eastern
So maybe try this?
[name_of_sourcetype] TZ = US/Pacific
Make sure that whatever it is that you put on the
name_of_sourcetype is the sourcetype that the IIS log is using.
per @gkanapathy's answer above, I believe your answer is not correct-- the time zone should be marked GMT, not local.
For IIS W3C formatted logs, the time zone is always GMT, so you should set TZ = GMT. The timezone setting of the incoming data is completely independent of the server time zone.
You may not use wildcards in sourcetype stanzas in props.conf (only in source:: and host:: stanzas) so that is one problem.
It would be useful to know what you are setting the sourcetype of your inputs to. They would be set on the light forwarder, and you should set them explicitly. If not set explicitly on the light forwarder, the default rules should set it to
iis. Note that if this is the case, the props.conf stanza names are case-sensitive, so that may be another problem.
I'm also not certain why you'd have tried
America/Los_Angeles as a
I am using TZ = GMT in ~/etc/system/local/props.conf and the times and dates are correct in splunk. Because I may be taking other iis logs I explicitly set the sourcetype in the deployment-apps directory/default/inputs.conf as
sourcetype = mswin2008r2iisw3c
This way I can use another sourcetype if the server version is different.
My ~/etc/system/local/props.conf stanza looks like this (field names can be found in the header of the log file):
TZ = GMT
pulldowntype = true
MAXTIMESTAMPLOOKAHEAD = 32
SHOULDLINEMERGE = false
CHECKFORHEADER = false
For what it is worth, the IIS-1, IIS-2, ..., IIS-n issue should be fixed in 4.1.4 if you have manually set the sourcetype to IIS in inputs.conf, thus solving your problem the 'right' way 🙂
So are IIS logs, which are by default set to GMT, read in and viewed with the web server serving up the searches timezone? Are other logs, like event logs, doing the same?