Getting Data In

props.conf not effective

juleserror
Engager

Hi, this issue has been mentioned here before but still my changes in props.conf are not effective.
Here is the configuration I'm using :

Inputs.conf :

[default]
host = bb1322454b5f
sourcetype=analyteacs_sales
source=splunk:8088

Transforms.conf :

[clone_ebook_sales]

REGEX            = (?s).*
CLONE_SOURCETYPE = ebook_sales_for_resellers
DEST_KEY         = _MetaData:Index
FORMAT           = ebook_sales

A finally props.conf :

[analyteacs_sales]
TRANSFORMS-clone_ebook_sales = clone_ebook_sales
tz = Pacific/Fiji
sourcetype=ebook_sales
priority=100

I tried to modify the system's timezone, but the changes aren't effective. Does someone see where it comes from?

Thanks in advance

0 Karma
1 Solution

diogofgm
SplunkTrust
SplunkTrust

config files are case sensitive. tz should be TZ

from docs:

TZ = <timezone identifier>
* The algorithm for determining the time zone for a particular event is as
  follows:
  * If the event has a timezone in its raw text (for example, UTC, -08:00),
  use that.
  * If TZ is set to a valid timezone string, use that.
  * If the event was forwarded, and the forwarder-indexer connection uses
  the version 6.0 and higher forwarding protocol, use the timezone provided
  by the forwarder.
  * Otherwise, use the timezone of the system that is running splunkd.
* Default: empty string

You can also troubleshoot what's being applied or not by using btool. just run:

./splunk btool props list --debug analyteacs_sales

the result is all the attributes for you source type and their location look for TZ and check what is being applied there.

------------
Hope I was able to help you. If so, some karma would be appreciated.

View solution in original post

diogofgm
SplunkTrust
SplunkTrust

config files are case sensitive. tz should be TZ

from docs:

TZ = <timezone identifier>
* The algorithm for determining the time zone for a particular event is as
  follows:
  * If the event has a timezone in its raw text (for example, UTC, -08:00),
  use that.
  * If TZ is set to a valid timezone string, use that.
  * If the event was forwarded, and the forwarder-indexer connection uses
  the version 6.0 and higher forwarding protocol, use the timezone provided
  by the forwarder.
  * Otherwise, use the timezone of the system that is running splunkd.
* Default: empty string

You can also troubleshoot what's being applied or not by using btool. just run:

./splunk btool props list --debug analyteacs_sales

the result is all the attributes for you source type and their location look for TZ and check what is being applied there.

------------
Hope I was able to help you. If so, some karma would be appreciated.

juleserror
Engager

After changing "tz" to "TZ" it works.
Splunk CLI is a great tool !

Thanks

0 Karma

richgalloway
SplunkTrust
SplunkTrust

What are you trying to accomplish?

---
If this reply helps you, Karma would be appreciated.
0 Karma

juleserror
Engager

I try to change Splunk's system timezone (not the user's timezone) with the following property:

tz = Pacific/Fiji

But it's not taken into account.

0 Karma

Kawtar
Path Finder

Did you refresh or restart your splunk instance after the modifications ?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...