Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why is the configured timezone in props.conf on the universal forwarder not being applied?

rkeenan
Explorer
‎03-05-2015 02:05 PM

We're using splunk 6.1 so I think we're able to set TZ in the props.conf on the UF. However this doesn't seem to work, the server is EST and the logs are GMT so the entries show up as being in the future.

We've created the file below:
/opt/splunkforwarder/etc/apps//local/props.conf

It only contains these two lines:
[default]
TZ = GMT

Is there anything we're doing wrong? If there's nothing obvious we're planning to update props.conf on the indexer (updating from default to a host regex)

Thanks

Reply

Lucas_K
Motivator
‎04-07-2015 05:49 PM

I fixed it like this.

My raw time stamp : TUE APR 07 2015 14:47:58 EST (actual time zone is GMT+10:00 ie Eastern [Australian ] Standard Time not US).

You can use either a host or source based props.conf stanza

props.conf on a 6.1.5 UF.

[host::somehost] 
TZ_ALIAS = EST=GMT+10:00

[source::/tmp/*] 
TZ_ALIAS = EST=GMT+10:00

Either of those should work. Change the TZ_ALIAS setting as required.
So in your case it would be something like :

[source::/tmp/*] 
TZ_ALIAS = GMT=GMT-5:00

Assuming your EST = american est. The "GMT=" should be what ever is in your RAW timestamp.

I think this worked due to the order of timezone detection (see list at the bottom)
I would guess that as the TZ setting isn't working because your raw timestamp has a timezone set inside it similar to my example? Which has the highest precedence.

The order as per docs.splunk.com

  1. If the event has a timezone in its raw text (for example UTC -08:00) use that.
  2. If TZ is set to a valid timezone string use that.
  3. If the event was forwarded and the forwarder-indexer connection is using the 6.0+ forwarding protocol use the timezone provided by the forwarder.
  4. Otherwise use the timezone of the system that is running splunkd.

http://docs.splunk.com/Documentation/Splunk/6.2.2/Admin/Propsconf

0 Karma
Reply

muebel
SplunkTrust
SplunkTrust
‎03-06-2015 07:01 PM

This seems along the same lines as the question here : http://answers.splunk.com/answers/31258/tz-offset-in-props-conf-not-working.html

Could you try to specify the timezone configuration at a source-level stanza rather than default?

0 Karma
Reply

Lucas_K
Motivator
‎04-01-2015 03:37 PM

Has anyone ever made UF based TZ modifications work?

host stanza doesn't work.
source based stanza doesn't work.

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...