Why is the timezone for DNS logs from multiple reg...

lohitkidu · ‎05-23-2016

Hi,

I have DNS logs coming from multiple geographies -Australia, India etc. My whole Splunk infrastructure is in UTC including the Search Head. My problem is Splunk is not able to show these multiple timestamps in UTC format. Rather, it is treating them (Australia, India time) as local time/UTC.

SAMPLE EVENT

May 24 16:39:48 dns-A-1-l named[576]: 24-May-2016 16:39:48.346 client

Splunk is showing these events in their local time i.e 16:39:48.346 which is causing future timestamping since my SH is in UTC.

Below is props.conf

TIME_PREFIX=named\[\d+\]\:\s
TIME_FORMAT=%d-%b-%Y %H:%M:%S.%Q
MAX_TIMESTAMP_LOOKAHEAD = 24
TZ=UTC

I event tried setting commenting out TZ=UTC but to no avail.

Any idea please ?

jmallorquin · ‎05-24-2016

Hi,

You have to configure TZ in the forwarder, if you apply in the indexer it doesn't apply.

Hope i help you

lohitkidu · ‎05-24-2016

Yes it is on Forwarder.

lohitkidu · ‎05-24-2016

I think i should not specify TZ=UTC as that is telling splunk that all the sourcetypes are in UTC which is not the case. Should i set up datetime_config=current since my HF are in UTC or doing it per source is my only option ?

Why is the timezone for DNS logs from multiple regions not getting localized?

Splunk Observability for AI

[Puzzles] Solve, Learn, Repeat: Dereferencing XML to Fixed-length events

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

Join the Conversation

Why is the timezone for DNS logs from multiple regions not getting localized?

Splunk Observability for AI

[Puzzles] Solve, Learn, Repeat: Dereferencing XML to Fixed-length events

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!