Getting Data In

With IIS logs in GMT and the forwarder, indexer, and search head in UTC, what configuration do I need for a user in BST to search logs real-time?

DanielFordWA
Contributor

Hi,

I have the following setup,

Forwarder
Server (UTC) Dublin, Edinburgh, Lisbon, London and seems to follow daylight savings, server clock 16:19
Logs UTC+0 - 15:19

Indexer & Search Head (UTC) Dublin, Edinburgh, Lisbon, London and seems to follow daylight savings, server clock 16:19

User set to GMT : London - Europe/London

When BST comes around, real-time does not work. What settings do I need to change so that a user in BST will be able to see real-time logs all year round when searching?

All logs seem to be displayed in UTC+0, with the timestamp taken directly from the logs of 15:19, so searching over the last hour brings no results.

All users know the logs are in UTC+0 without daylight saving adjustments but I would like real- time to work in BST..

0 Karma
1 Solution

woodcock
Esteemed Legend

You need to add TZ=BST to the props.conf file for that input (host) and send it to all of your indexers and restart the Splunk services there.

View solution in original post

woodcock
Esteemed Legend

You need to add TZ=BST to the props.conf file for that input (host) and send it to all of your indexers and restart the Splunk services there.

DanielFordWA
Contributor

Thanks for the reply.

Just to confirm is this the props.conf on the forwarder or the indexer?

So on the forwarder?
[host::NLDNxxxxDAP]
TZ=BST

The logs on the data collector server are recorded by other software that is UTC+0 but the server clock is '(UTC) Dublin, Edinburgh, Lisbon, London' and seems to follow daylight savings. So Server clock time = 8:29 and Logs on same server recorded as 7:29. The forwarder sits on this server and forwards logs to the indexer.

Even with the above settings, when the logs are forwarded and indexed in Splunk, the _time is identical to that is the raw logs so 7:29, hence real time will not work.

0 Karma

linu1988
Champion

Daniel the props.conf will have to be set up on the indexer not forwarder. They will get adjusted according to your config for the newer entries. you can modify anything for the indexed items or better re-index them.

0 Karma

woodcock
Esteemed Legend

I do not understand your last sentence but you need to deploy this change to the entity that is doing the indexing which is usually all the indexers (unless you are using a Heavy Forwarder or INDEXED_EXTRACTIONS on a regular forwarder) and then restart all Splunk instances there.

0 Karma

DanielFordWA
Contributor

TZ = Universal solved the issue, you got em o nthe right track! thanks

0 Karma

woodcock
Esteemed Legend

OK, don't forget to "Accept" the answer to close out the question.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...