Getting Data In
Highlighted

With IIS logs in GMT and the forwarder, indexer, and search head in UTC, what configuration do I need for a user in BST to search logs real-time?

Contributor

Hi,

I have the following setup,

Forwarder
Server (UTC) Dublin, Edinburgh, Lisbon, London and seems to follow daylight savings, server clock 16:19
Logs UTC+0 - 15:19

Indexer & Search Head (UTC) Dublin, Edinburgh, Lisbon, London and seems to follow daylight savings, server clock 16:19

User set to GMT : London - Europe/London

When BST comes around, real-time does not work. What settings do I need to change so that a user in BST will be able to see real-time logs all year round when searching?

All logs seem to be displayed in UTC+0, with the timestamp taken directly from the logs of 15:19, so searching over the last hour brings no results.

All users know the logs are in UTC+0 without daylight saving adjustments but I would like real- time to work in BST..

0 Karma
Highlighted

Re: With IIS logs in GMT and the forwarder, indexer, and search head in UTC, what configuration do I need for a user in BST to search logs real-time?

Esteemed Legend

You need to add TZ=BST to the props.conf file for that input (host) and send it to all of your indexers and restart the Splunk services there.

View solution in original post

Highlighted

Re: With IIS logs in GMT and the forwarder, indexer, and search head in UTC, what configuration do I need for a user in BST to search logs real-time?

Contributor

Thanks for the reply.

Just to confirm is this the props.conf on the forwarder or the indexer?

So on the forwarder?
[host::NLDNxxxxDAP]
TZ=BST

The logs on the data collector server are recorded by other software that is UTC+0 but the server clock is '(UTC) Dublin, Edinburgh, Lisbon, London' and seems to follow daylight savings. So Server clock time = 8:29 and Logs on same server recorded as 7:29. The forwarder sits on this server and forwards logs to the indexer.

Even with the above settings, when the logs are forwarded and indexed in Splunk, the _time is identical to that is the raw logs so 7:29, hence real time will not work.

0 Karma
Highlighted

Re: With IIS logs in GMT and the forwarder, indexer, and search head in UTC, what configuration do I need for a user in BST to search logs real-time?

Esteemed Legend

I do not understand your last sentence but you need to deploy this change to the entity that is doing the indexing which is usually all the indexers (unless you are using a Heavy Forwarder or INDEXED_EXTRACTIONS on a regular forwarder) and then restart all Splunk instances there.

0 Karma
Highlighted

Re: With IIS logs in GMT and the forwarder, indexer, and search head in UTC, what configuration do I need for a user in BST to search logs real-time?

Contributor

TZ = Universal solved the issue, you got em o nthe right track! thanks

0 Karma
Highlighted

Re: With IIS logs in GMT and the forwarder, indexer, and search head in UTC, what configuration do I need for a user in BST to search logs real-time?

Esteemed Legend

OK, don't forget to "Accept" the answer to close out the question.

0 Karma
Highlighted

Re: With IIS logs in GMT and the forwarder, indexer, and search head in UTC, what configuration do I need for a user in BST to search logs real-time?

Champion

Daniel the props.conf will have to be set up on the indexer not forwarder. They will get adjusted according to your config for the newer entries. you can modify anything for the indexed items or better re-index them.

0 Karma