Getting Data In

Why is the configured timezone in props.conf on the universal forwarder not being applied?

rkeenan
Explorer

We're using splunk 6.1 so I think we're able to set TZ in the props.conf on the UF. However this doesn't seem to work, the server is EST and the logs are GMT so the entries show up as being in the future.

We've created the file below:
/opt/splunkforwarder/etc/apps//local/props.conf

It only contains these two lines:
[default]
TZ = GMT

Is there anything we're doing wrong? If there's nothing obvious we're planning to update props.conf on the indexer (updating from default to a host regex)

Thanks

Lucas_K
Motivator

I fixed it like this.

My raw time stamp : TUE APR 07 2015 14:47:58 EST (actual time zone is GMT+10:00 ie Eastern [Australian ] Standard Time not US).

You can use either a host or source based props.conf stanza

props.conf on a 6.1.5 UF.

[host::somehost] 
TZ_ALIAS = EST=GMT+10:00

[source::/tmp/*] 
TZ_ALIAS = EST=GMT+10:00

Either of those should work. Change the TZ_ALIAS setting as required.
So in your case it would be something like :

[source::/tmp/*] 
TZ_ALIAS = GMT=GMT-5:00

Assuming your EST = american est. The "GMT=" should be what ever is in your RAW timestamp.

I think this worked due to the order of timezone detection (see list at the bottom)
I would guess that as the TZ setting isn't working because your raw timestamp has a timezone set inside it similar to my example? Which has the highest precedence.

The order as per docs.splunk.com

  1. If the event has a timezone in its raw text (for example UTC -08:00) use that.
  2. If TZ is set to a valid timezone string use that.
  3. If the event was forwarded and the forwarder-indexer connection is using the 6.0+ forwarding protocol use the timezone provided by the forwarder.
  4. Otherwise use the timezone of the system that is running splunkd.

http://docs.splunk.com/Documentation/Splunk/6.2.2/Admin/Propsconf

0 Karma

muebel
SplunkTrust
SplunkTrust

This seems along the same lines as the question here : http://answers.splunk.com/answers/31258/tz-offset-in-props-conf-not-working.html

Could you try to specify the timezone configuration at a source-level stanza rather than default?

0 Karma

Lucas_K
Motivator

Has anyone ever made UF based TZ modifications work?

host stanza doesn't work.
source based stanza doesn't work.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...