Timezone on my splunk indexer is GMT and windows machine is PST.
I found that the metadata from Windows Eventlogs lose timezone info so that time in raw events is 8 hour earlier than `_time` which is real time in GMT.
The influence is that all of these log will 8 hours earlier than the real time after a `collect` action. Such as the following image which just collect the datas into a new index.
I want Windows Eventlogs can be added a timezone info or we can modify time info in windows splunk universal forwarder.
I have tried change props.conf in forwarder and indexer but it change the timestamp but not raw events.
What's more, I will not change system timezone on machine because unknown problems maybe imported into systems.
Can I change the time info in Windows Eventlogs without change windows system timezone?
First and foremost - I'd change the ingestion format of windows logs from the traditional "plaintext" to XML. I've never encountered time-related problems with XML-reported windows logs (apart from the cases when the timezone itself was indeed wrongly set on the source machine).
Hi @Alex00001 ,
see props.conf at https://docs.splunk.com/Documentation/Splunk/9.0.4/Admin/Propsconf
you can find:
TZ = <timezone identifier>
* The algorithm for determining the time zone for a particular event is as
follows:
* If the event has a timezone in its raw text (for example, UTC, -08:00),
use that.
* If TZ is set to a valid timezone string, use that.
* If the event was forwarded, and the forwarder-indexer connection uses
the version 6.0 and higher forwarding protocol, use the timezone provided
by the forwarder.
* Otherwise, use the timezone of the system that is running splunkd.
* Default: empty string
in this way you can configure the correct Timezone for your logs.
Ciao.
Giuseppe
Thank you for your answer.
I had tried TZ attr, and as i know, it only change the timestamp but not change the time info in windows raw event.
What I want is following image, I don't know if I made my problem clear.
Hi @Alex00001 ,
Splunk by default doesn't modify raw logs,
using TZ you give to your events the correct Timestamp to correlate them to other data sources.
If you quant, you can modify events before indexing, but my hiont is to assign the correct timestamp and leave the priginal tima on events.
Ciao.
Giuseppe
Thank you for you advise, I wonder how can I modify events before indexing in wineventlog.
And what make me confused is why splunk forwarder doesn't add timezone info in winevent logs.
Although TZ can make `_time` equals to raw time in logs, that is not the real time log reported in my timezone and will add persistent work to remind others that we have some logs not in our timezone and blabla...
I need to manage the log uniformly instead of divide it into different indexes by timezone.
Thank you.
Hi @Alex00001 ,
you don't need to put logs in different indexes for timezone, instead it isn't a good practice: indexes are usually choosen for retention and access grants.
Setting Timezone in props.conf you set the correct timestamp preserving the original event log but you can correlate events from different settings because timestamps are correct.
Ciao.
Giuseppe