Getting Data In

UTC Time Zone Offset Not Working for Host

ejwade
Contributor

I have a single Linux syslog stream, containing logs from multiple hosts, coming into a Splunk indexer through a TCP port - 1027. The source=tcp:1027 and sourcetype=syslog. The host is assigned using default settings, but I also have the following in place:

props.conf
[source::tcp:1027]
TRANSFORMS-syslog-forwarded-hostrewrite01=syslog-forwarded-hostrewrite01

transforms.conf
[syslog-forwarded-hostrewrite01]
DEST_KEY = MetaData:Host
REGEX = ^\S+\s+[0-9]+\s+[:0-9]+\s\S+\sMessage forwarded\sfrom\s?(\S+):
FORMAT = host::$1
disabled = 0

There's a specific host "utc-host" that is send logs in UTC. Our indexer and users are in Pacific Time. To offset this, I created the following configuration:

props.conf
[host::utc-host]
TZ = UTC

Unfortunately, this did not work. I did cmd btool props list to confirm the configurations were committing to Splunk's running configuration. Any tips?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

btool shows the configuration that will be used the next time Splunk restarts. Did you restart Splunk after making changes to props.conf?

---
If this reply helps you, Karma would be appreciated.
0 Karma

ejwade
Contributor

Yes - many times.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...