Getting Data In

Why is TZ attribute on props.conf not working on Splunk Enterprise version 7.0.4?

jaracan
Communicator

Hi Team,

We have Client UFs on UTC. And Splunk HF, IDX and SH on CST timezone. The Splunk Enterprise version is v7.0.4 .
We have created props and tried both TZ=US/Central and TZ=America/Chicago (one at a time) so that when the log is search, we expect that they are no difference on timestamp (_time) and time present on eventdata.
We have the props present on the UF and Heavy Forwarder but not in Indexers.
Unfortunately, the TZ attribute on props.conf seems like not working on Splunk Enterprise version 7.0.4 .

Is this a known bug?
We cannot change the timezone for the user on Splunk Account Setting since it will change something on the other logs that they are working on.

Regards,
Kevin

0 Karma
1 Solution

ololdach
Builder

Hi Kevin,
this is an excerpt from the docs:

To determine the time zone to assign to a timestamp, Splunk software uses the following logic:
1. Use the time zone specified in raw event data (for example, PST, -0800), if present.
2. Use the TZ attribute set in props.conf, if the event matches the host, source, or source type that the stanza specifies.
3. If the forwarder and the receiving indexer are version 6.0 or later, use the time zone that the forwarder provides.
4. Use the time zone of the host that indexes the event.
Note: If you change the time zone setting of the host machine of your forwarder, you must restart the forwarder for the software to detect the change.

Check, if the event's timestamp contains a timezone. If you want to override that with your own, use the TIME_FORMAT setting to exclude the time zone from the timestamp. Since you want to index the same sourcetype from multiple time zones, bind the TZ settings rather to the host, not the sourcetype. That way you rule out that some settings on the indexer overrule your settings on the forwarder and you can keep it consistent. Please note that the time of the timestamp in the splunk UI will always be in the local timezone of the browser. So if I am at EST and the event is correctly indexed at 9:00 UTC, the UI would claim that the event was in fact at 4:00 local, assuming EST is UTC-5.
Oliver

View solution in original post

ololdach
Builder

Hi Kevin,
this is an excerpt from the docs:

To determine the time zone to assign to a timestamp, Splunk software uses the following logic:
1. Use the time zone specified in raw event data (for example, PST, -0800), if present.
2. Use the TZ attribute set in props.conf, if the event matches the host, source, or source type that the stanza specifies.
3. If the forwarder and the receiving indexer are version 6.0 or later, use the time zone that the forwarder provides.
4. Use the time zone of the host that indexes the event.
Note: If you change the time zone setting of the host machine of your forwarder, you must restart the forwarder for the software to detect the change.

Check, if the event's timestamp contains a timezone. If you want to override that with your own, use the TIME_FORMAT setting to exclude the time zone from the timestamp. Since you want to index the same sourcetype from multiple time zones, bind the TZ settings rather to the host, not the sourcetype. That way you rule out that some settings on the indexer overrule your settings on the forwarder and you can keep it consistent. Please note that the time of the timestamp in the splunk UI will always be in the local timezone of the browser. So if I am at EST and the event is correctly indexed at 9:00 UTC, the UI would claim that the event was in fact at 4:00 local, assuming EST is UTC-5.
Oliver

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...