Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why is the configured timezone in props.conf on the universal forwarder not being applied?

rkeenan
Explorer
‎03-05-2015 02:05 PM

We're using splunk 6.1 so I think we're able to set TZ in the props.conf on the UF. However this doesn't seem to work, the server is EST and the logs are GMT so the entries show up as being in the future.

We've created the file below:
/opt/splunkforwarder/etc/apps//local/props.conf

It only contains these two lines:
[default]
TZ = GMT

Is there anything we're doing wrong? If there's nothing obvious we're planning to update props.conf on the indexer (updating from default to a host regex)

Thanks

Reply

Lucas_K
Motivator
‎04-07-2015 05:49 PM

I fixed it like this.

My raw time stamp : TUE APR 07 2015 14:47:58 EST (actual time zone is GMT+10:00 ie Eastern [Australian ] Standard Time not US).

You can use either a host or source based props.conf stanza

props.conf on a 6.1.5 UF.

[host::somehost] 
TZ_ALIAS = EST=GMT+10:00

[source::/tmp/*] 
TZ_ALIAS = EST=GMT+10:00

Either of those should work. Change the TZ_ALIAS setting as required.
So in your case it would be something like :

[source::/tmp/*] 
TZ_ALIAS = GMT=GMT-5:00

Assuming your EST = american est. The "GMT=" should be what ever is in your RAW timestamp.

I think this worked due to the order of timezone detection (see list at the bottom)
I would guess that as the TZ setting isn't working because your raw timestamp has a timezone set inside it similar to my example? Which has the highest precedence.

The order as per docs.splunk.com

  1. If the event has a timezone in its raw text (for example UTC -08:00) use that.
  2. If TZ is set to a valid timezone string use that.
  3. If the event was forwarded and the forwarder-indexer connection is using the 6.0+ forwarding protocol use the timezone provided by the forwarder.
  4. Otherwise use the timezone of the system that is running splunkd.

http://docs.splunk.com/Documentation/Splunk/6.2.2/Admin/Propsconf

0 Karma
Reply

muebel
SplunkTrust
SplunkTrust
‎03-06-2015 07:01 PM

This seems along the same lines as the question here : http://answers.splunk.com/answers/31258/tz-offset-in-props-conf-not-working.html

Could you try to specify the timezone configuration at a source-level stanza rather than default?

0 Karma
Reply

Lucas_K
Motivator
‎04-01-2015 03:37 PM

Has anyone ever made UF based TZ modifications work?

host stanza doesn't work.
source based stanza doesn't work.

0 Karma
Reply
Get Updates on the Splunk Community!

October Community Champions: A Shoutout to Our Contributors!

As October comes to a close, we want to take a moment to celebrate the people who make the Splunk Community ...

Community Content Calendar, November Edition

Welcome to the November edition of our Community Spotlight! Each month, we dive into the Splunk Community to ...

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...