I am attempting to bring data together from servers sitting in GMT in line with the logs from servers sitting in CMT, but have been unsuccessful in setting the TZ within Props.conf on the index server for the affected hosts. My goal is to have all logs appear as if they are indexed within CST. Currently I have data that "appears in the future" due to GMT settings on each host.
My host list looks like this:
pd-mnsdfdh123 vn-mnkcdjkel2 vm-mnkdjke235 . .
In order to capture all the host names affected I have added the following REGEX to my props.conf which captures the names, but doesnt' translate the TZ....at all.
Aslo tried without luck.
This appears to be pretty straight forward but for some reason the solution has escaped me to date.
I had a pain syncing my timezones too, here is the info that helped me out:
First, you should note that the Splunk Indexer sets everything relative to its own time zone. Thus if you want to have the Logs be indexed based on CST, the indexers timezone must be set to CST. The Indexer gets its timezone info from the clock set on the machine its installed on, so to reiterate, the Indexer machines Time and Date settings should be set to CST if that is the timezone you want to base inputs off of. Yes, it is kinda annoying, w/e.
Secondly, all machines that are in a different time zone from your Indexer (anything not in CST) will need to have a TZ setting in props.conf. The TZ setting will be set to whatever timezone the forwarding host is in, thus if the Indexer is in CST and the Forwarder is in EST then the TZ set in props.conf on the Indexer for the Forwarder would be set to EST. Splunk will then figure out the difference between the two timezones and mark inputs accordingly.
I also noticed that you were not using correct TZ codes for the TZ setting, "GMT" is not a correct TZ code. The list of TZ codes can be found here: http://en.wikipedia.org/wiki/List_of_zoneinfo_timezones (Look under the TZ column)
So to wrap up, I think your entry looks good except that "GMT" is not a correct TZ. I would double check that you use the right TZ for daylight savings time, UTC has more zones then GMT with more specific daylight savings times. Use the wiki page above and pay attention to the Standard Time vs Summer Time, for example America/Dawson_Creek has a standard time zone of UTC-07 and no summer time while America/Cambridge_Bay also has a standard time zone of UTC-07 but it has a summer time of UTC-06. If the Indexers timezone and the Forwarders time zones are not synched for daylight savings time then you could hit some nasty bugs whenever daylights savings time changes.
Good Luck and Happy Splunking!
Thanks....I circled back and reset the props.conf on the indexer to TZ=UTC-06 for CST (midwest) followed by a restart. I would expect to see the data from hosts within UTC-0 (GMT) to be translated to my currect UTC-06 time, but this is not the case. I still see the data streaming at its own time.
Am I way off base trying to have servers with TZ 6 hours earlier be searchable to the same CST as my indexing servers and the rest of my environment?