Getting Data In

Why is TZ attribute on props.conf not working on Splunk Enterprise version 7.0.4?

jaracan
Communicator

Hi Team,

We have Client UFs on UTC. And Splunk HF, IDX and SH on CST timezone. The Splunk Enterprise version is v7.0.4 .
We have created props and tried both TZ=US/Central and TZ=America/Chicago (one at a time) so that when the log is search, we expect that they are no difference on timestamp (_time) and time present on eventdata.
We have the props present on the UF and Heavy Forwarder but not in Indexers.
Unfortunately, the TZ attribute on props.conf seems like not working on Splunk Enterprise version 7.0.4 .

Is this a known bug?
We cannot change the timezone for the user on Splunk Account Setting since it will change something on the other logs that they are working on.

Regards,
Kevin

0 Karma
1 Solution

ololdach
Builder

Hi Kevin,
this is an excerpt from the docs:

To determine the time zone to assign to a timestamp, Splunk software uses the following logic:
1. Use the time zone specified in raw event data (for example, PST, -0800), if present.
2. Use the TZ attribute set in props.conf, if the event matches the host, source, or source type that the stanza specifies.
3. If the forwarder and the receiving indexer are version 6.0 or later, use the time zone that the forwarder provides.
4. Use the time zone of the host that indexes the event.
Note: If you change the time zone setting of the host machine of your forwarder, you must restart the forwarder for the software to detect the change.

Check, if the event's timestamp contains a timezone. If you want to override that with your own, use the TIME_FORMAT setting to exclude the time zone from the timestamp. Since you want to index the same sourcetype from multiple time zones, bind the TZ settings rather to the host, not the sourcetype. That way you rule out that some settings on the indexer overrule your settings on the forwarder and you can keep it consistent. Please note that the time of the timestamp in the splunk UI will always be in the local timezone of the browser. So if I am at EST and the event is correctly indexed at 9:00 UTC, the UI would claim that the event was in fact at 4:00 local, assuming EST is UTC-5.
Oliver

View solution in original post

ololdach
Builder

Hi Kevin,
this is an excerpt from the docs:

To determine the time zone to assign to a timestamp, Splunk software uses the following logic:
1. Use the time zone specified in raw event data (for example, PST, -0800), if present.
2. Use the TZ attribute set in props.conf, if the event matches the host, source, or source type that the stanza specifies.
3. If the forwarder and the receiving indexer are version 6.0 or later, use the time zone that the forwarder provides.
4. Use the time zone of the host that indexes the event.
Note: If you change the time zone setting of the host machine of your forwarder, you must restart the forwarder for the software to detect the change.

Check, if the event's timestamp contains a timezone. If you want to override that with your own, use the TIME_FORMAT setting to exclude the time zone from the timestamp. Since you want to index the same sourcetype from multiple time zones, bind the TZ settings rather to the host, not the sourcetype. That way you rule out that some settings on the indexer overrule your settings on the forwarder and you can keep it consistent. Please note that the time of the timestamp in the splunk UI will always be in the local timezone of the browser. So if I am at EST and the event is correctly indexed at 9:00 UTC, the UI would claim that the event was in fact at 4:00 local, assuming EST is UTC-5.
Oliver

Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...