Getting Data In

Timezones & IIS W3C Extended Logging - why don't they work?

Explorer

By way of a light forwarder, I'm receiving IIS Logs in W3C Extended Format from 5 boxes which logs events in GMT time - there's no way to change timezones when using this format with IIS.

Because our Splunk Server lives in a GMT+10 timezone, and all our other sourcetypes/events are logged in the servers TZ, we have set up a props.conf file under C:\Program Files\Splunk\etc\system\local with the following entry at top of file to specifically handle IIS logs:

[IIS*]
TZ=GMT

We've also tried:

[IIS*]
TZ = America/Los_Angeles

It seems no matter what I try, I just can't get Splunk to treat my logs correctly. This is a MAJOR problem because it makes them totally unusable in a real time context. The net effect is all entries appear 10 hours into the future.

Have you seen this yourself ? How did you fix it ??

Thanks 🙂

Tags (2)

New Member

So are IIS logs, which are by default set to GMT, read in and viewed with the web server serving up the searches timezone? Are other logs, like event logs, doing the same?

0 Karma

Splunk Employee
Splunk Employee

For what it is worth, the IIS-1, IIS-2, ..., IIS-n issue should be fixed in 4.1.4 if you have manually set the sourcetype to IIS in inputs.conf, thus solving your problem the 'right' way 🙂

Champion

It is broken in 5.0.3 still.... I'm getting iis-2 sourcetype despite hardcoding it in inputs.conf

0 Karma

Contributor

hi Alex - could you provide more info about what is being fixed in 4.1.4 re: IIS-1, IIS-2, etc.? What's changing?

0 Karma

Splunk Employee
Splunk Employee

For IIS W3C formatted logs, the time zone is always GMT, so you should set TZ = GMT. The timezone setting of the incoming data is completely independent of the server time zone.

You may not use wildcards in sourcetype stanzas in props.conf (only in source:: and host:: stanzas) so that is one problem.

It would be useful to know what you are setting the sourcetype of your inputs to. They would be set on the light forwarder, and you should set them explicitly. If not set explicitly on the light forwarder, the default rules should set it to iis. Note that if this is the case, the props.conf stanza names are case-sensitive, so that may be another problem.

I'm also not certain why you'd have tried America/Los_Angeles as a TZ setting.

Motivator

I am using TZ = GMT in ~/etc/system/local/props.conf and the times and dates are correct in splunk. Because I may be taking other iis logs I explicitly set the sourcetype in the deployment-apps directory/default/inputs.conf as

sourcetype = mswin_2008r2_iisw3c

This way I can use another sourcetype if the server version is different.

My ~/etc/system/local/props.conf stanza looks like this (field names can be found in the header of the log file):

[mswin_2008r2_iisw3c]
TZ = GMT
pulldown_type = true
MAX_TIMESTAMP_LOOKAHEAD = 32
SHOULD_LINEMERGE = false
CHECK_FOR_HEADER = false

0 Karma

Contributor

Mine is simply this:

[default]
TZ = US/Eastern

So maybe try this?

[name_of_sourcetype]
TZ = US/Pacific

Make sure that whatever it is that you put on the name_of_sourcetype is the sourcetype that the IIS log is using.

Contributor

From what the user is saying, it seems that setting the TZ to GMT was not working. Perhaps a bug?

0 Karma

Contributor

per @gkanapathy's answer above, I believe your answer is not correct-- the time zone should be marked GMT, not local.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!