Getting Data In
Provide Splunk Cloud feedback in this confidential UX survey by June 17
for a chance to win a $200 Amazon gift card!

Why is TZ attribute on props.conf not working on Splunk Enterprise version 7.0.4?

jaracan
Communicator

Hi Team,

We have Client UFs on UTC. And Splunk HF, IDX and SH on CST timezone. The Splunk Enterprise version is v7.0.4 .
We have created props and tried both TZ=US/Central and TZ=America/Chicago (one at a time) so that when the log is search, we expect that they are no difference on timestamp (_time) and time present on eventdata.
We have the props present on the UF and Heavy Forwarder but not in Indexers.
Unfortunately, the TZ attribute on props.conf seems like not working on Splunk Enterprise version 7.0.4 .

Is this a known bug?
We cannot change the timezone for the user on Splunk Account Setting since it will change something on the other logs that they are working on.

Regards,
Kevin

0 Karma
1 Solution

ololdach
Builder

Hi Kevin,
this is an excerpt from the docs:

To determine the time zone to assign to a timestamp, Splunk software uses the following logic:
1. Use the time zone specified in raw event data (for example, PST, -0800), if present.
2. Use the TZ attribute set in props.conf, if the event matches the host, source, or source type that the stanza specifies.
3. If the forwarder and the receiving indexer are version 6.0 or later, use the time zone that the forwarder provides.
4. Use the time zone of the host that indexes the event.
Note: If you change the time zone setting of the host machine of your forwarder, you must restart the forwarder for the software to detect the change.

Check, if the event's timestamp contains a timezone. If you want to override that with your own, use the TIME_FORMAT setting to exclude the time zone from the timestamp. Since you want to index the same sourcetype from multiple time zones, bind the TZ settings rather to the host, not the sourcetype. That way you rule out that some settings on the indexer overrule your settings on the forwarder and you can keep it consistent. Please note that the time of the timestamp in the splunk UI will always be in the local timezone of the browser. So if I am at EST and the event is correctly indexed at 9:00 UTC, the UI would claim that the event was in fact at 4:00 local, assuming EST is UTC-5.
Oliver

View solution in original post

0 Karma

ololdach
Builder

Hi Kevin,
this is an excerpt from the docs:

To determine the time zone to assign to a timestamp, Splunk software uses the following logic:
1. Use the time zone specified in raw event data (for example, PST, -0800), if present.
2. Use the TZ attribute set in props.conf, if the event matches the host, source, or source type that the stanza specifies.
3. If the forwarder and the receiving indexer are version 6.0 or later, use the time zone that the forwarder provides.
4. Use the time zone of the host that indexes the event.
Note: If you change the time zone setting of the host machine of your forwarder, you must restart the forwarder for the software to detect the change.

Check, if the event's timestamp contains a timezone. If you want to override that with your own, use the TIME_FORMAT setting to exclude the time zone from the timestamp. Since you want to index the same sourcetype from multiple time zones, bind the TZ settings rather to the host, not the sourcetype. That way you rule out that some settings on the indexer overrule your settings on the forwarder and you can keep it consistent. Please note that the time of the timestamp in the splunk UI will always be in the local timezone of the browser. So if I am at EST and the event is correctly indexed at 9:00 UTC, the UI would claim that the event was in fact at 4:00 local, assuming EST is UTC-5.
Oliver

View solution in original post

0 Karma
Take the 2021 Splunk Career Survey

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!