Getting Data In

Using props.conf on SplunkUniversalForwarder to denote TimeZone

dan_ce
New Member

TimeZone specification in props.conf on a SplunkUniversalForwarder instance does not appear to be working for me.

  • SplunkUniversalForwarder instance version 6.3.2
  • Splunk instance (indexer) version 7.0.0
  • The application server running the forwarder is in US/Eastern system timezone (cannot change)
  • The logs are generated in UTC without a timezone specifier in the string (cannot change)

As the logs are received by Splunk they are interpreted as being UTC-5 as I suppose the forwarder is appending its system timezone. As the _time field is subsequently converted to UTC we see logs with time values 5 hours in the future.

I want to configure the forwarder instance to explicitly state that the timezone of the records it's sending on is UTC. I've tried the following:

props.conf in:
- apps/appname/local
- apps/appname/default
- system/local
- system/default

I've tried several different stanzas to match the log monitors, for example:

[sourcetype]
TZ = UTC

[host::hostname*]
TZ = UTC

[source::...//logs//debug_*]
TZ = UTC

[default]
TZ = UTC

All to no avail. Actually I am now at the point where I don't think the configuration is a problem, but it may still be. I don't see any difference to the logs imported regardless of which of the above options I use, so it's like it's being overridden at the indexer or simply not picked up.

Documentation suggests that the forwarder should be able to append TimeZone information from props.conf post version 6 and that this ought to be respected when indexed. I'm not seeing this behaviour at all. I don't want to / can't configure this at the indexer as I have servers in multiple different timezones, they each need to be able to specify the source tz information.

Can anyone suggest any other avenues of exploration? Thanks in advance.

0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

The props.conf file should go on the indexers rather than the universal forwarders. If the sourcetype has forwarders in different time zones, then use a heavy forwarder and put the props.conf file there.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma

richgalloway
SplunkTrust
SplunkTrust

The props.conf file should go on the indexers rather than the universal forwarders. If the sourcetype has forwarders in different time zones, then use a heavy forwarder and put the props.conf file there.

---
If this reply helps you, Karma would be appreciated.
0 Karma

dan_ce
New Member

Thank you for your response. I must have misunderstood the line in the documentation which discusses timezone application precedence which states:

"If the forwarder and the receiving indexer are version 6.0 or later, use the time zone that the forwarder provides."

Is it then the case that this is hardwired to use only the system timezone of the instance on which the Universal Forwarder sits? It's impossible to modify this using props.conf?

0 Karma

ddrillic
Ultra Champion

-- Is it then the case that this is hardwired to use only the system timezone of the instance on which the Universal Forwarder sits? It's impossible to modify this using props.conf?

The last resort should be to set the timezone in props.conf, because you are hard-coding values.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

The TZ attribute should work on the UF, but isn't in your case so I offered solutions. You should open a case with Splunk Support to find out why it's not working as documented.

---
If this reply helps you, Karma would be appreciated.
0 Karma

dan_ce
New Member

Good to know it should work, at least. Thanks for your help.

I've found a workaround which is to use _tzhint on the input stanza - works first time!

0 Karma
Get Updates on the Splunk Community!

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

A few months ago, we released Splunk Enterprise Security 8.0 for our cloud customers. Today, we are excited to ...

Logs to Metrics

Logs and Metrics Logs are generally unstructured text or structured events emitted by applications and written ...

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...