By way of a light forwarder, I'm receiving IIS Logs in W3C Extended Format from 5 boxes which logs events in GMT time - there's no way to change timezones when using this format with IIS.
Because our Splunk Server lives in a GMT+10 timezone, and all our other sourcetypes/events are logged in the servers TZ, we have set up a props.conf file under C:\Program Files\Splunk\etc\system\local with the following entry at top of file to specifically handle IIS logs:
We've also tried:
[IIS*] TZ = America/Los_Angeles
It seems no matter what I try, I just can't get Splunk to treat my logs correctly. This is a MAJOR problem because it makes them totally unusable in a real time context. The net effect is all entries appear 10 hours into the future.
Have you seen this yourself ? How did you fix it ??
For what it is worth, the IIS-1, IIS-2, ..., IIS-n issue should be fixed in 4.1.4 if you have manually set the sourcetype to IIS in inputs.conf, thus solving your problem the 'right' way 🙂
For IIS W3C formatted logs, the time zone is always GMT, so you should set TZ = GMT. The timezone setting of the incoming data is completely independent of the server time zone.
You may not use wildcards in sourcetype stanzas in props.conf (only in source:: and host:: stanzas) so that is one problem.
It would be useful to know what you are setting the sourcetype of your inputs to. They would be set on the light forwarder, and you should set them explicitly. If not set explicitly on the light forwarder, the default rules should set it to
iis. Note that if this is the case, the props.conf stanza names are case-sensitive, so that may be another problem.
I'm also not certain why you'd have tried
America/Los_Angeles as a
I am using TZ = GMT in ~/etc/system/local/props.conf and the times and dates are correct in splunk. Because I may be taking other iis logs I explicitly set the sourcetype in the deployment-apps directory/default/inputs.conf as
sourcetype = mswin_2008r2_iisw3c
This way I can use another sourcetype if the server version is different.
My ~/etc/system/local/props.conf stanza looks like this (field names can be found in the header of the log file):
TZ = GMT
pulldown_type = true
MAX_TIMESTAMP_LOOKAHEAD = 32
SHOULD_LINEMERGE = false
CHECK_FOR_HEADER = false
Mine is simply this:
[default] TZ = US/Eastern
So maybe try this?
[name_of_sourcetype] TZ = US/Pacific
Make sure that whatever it is that you put on the
name_of_sourcetype is the sourcetype that the IIS log is using.