Getting Data In
Highlighted

change extracted event timezone

Path Finder

Hi guys
i've a scritpt on a linux forwarder to monitor a load balancer, it's log is a txt file in UTC format, i need to set the time zone to europe/rome, to do this i've setup props.conf on indexer as show below

[source::NSowa]
TZ = Europe/Rome

the result is the same

alt text

as you can see event without timestam are logged with the correct time, the time extraction is wrong.

Highlighted

Re: change extracted event timezone

Champion

Consult the documentation for instruction on setting the timezone correctly.

Highlighted

Re: change extracted event timezone

Explorer

I downvoted this post because this isn't a very helpful comment. telling someone to just read the documentation doesn't help someone find what they're looking for to become better.

0 Karma
Highlighted

Re: change extracted event timezone

Champion

As I responded in a previous comment, it seemed to be a general "how do I configure timezones to work" question. As such, I linked to the documentation in my answer.

0 Karma
Highlighted

Re: change extracted event timezone

Super Champion

We should not be trying to discourage people from posting answers..down votes are for completely wrong answers/bad advice

0 Karma
Highlighted

Re: change extracted event timezone

Champion

I get the reasoning behind the downvote. I think it's the type of post that should potentially be downvoted (when it an answer is purposely unhelpful, etc). In this case I simply misunderstood the question, and apologized to the asker prior to the downvote.

When I posted the answer, a pointer to the correct documentation seemed like the best place to start, due to my missing the details in the question about already having attempted to implement the configs.

All in all, it was a reasonable consideration to downvote.

0 Karma
Highlighted

Re: change extracted event timezone

Path Finder

i've read the documentation, I read about the TZ parameter there ... where i'm wrong?

0 Karma
Highlighted

Re: change extracted event timezone

Champion

My apologies, I didn't see the props.conf snippet you posted. I read this as a general "how do I use TZ in Splunk" question. @ddrillic's comment seems to identify at least one issue with this configuration.

0 Karma
Highlighted

Re: change extracted event timezone

Ultra Champion

Based on this screen-shot, these two events don't seem be of source = NSowa. You see, source is not listed below the event, only host...

0 Karma
Highlighted

Re: change extracted event timezone

Path Finder

tnx ddrillic, the source is correct, i don't know why but i've hosted a new screenshot on imgur but the forum don't show it ... i've post a new reply in the main thread with screenshot

0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.