Hi, this issue has been mentioned here before but still my changes in props.conf are not effective.
Here is the configuration I'm using :
Inputs.conf :
[default]
host = bb1322454b5f
sourcetype=analyteacs_sales
source=splunk:8088
Transforms.conf :
[clone_ebook_sales]
REGEX = (?s).*
CLONE_SOURCETYPE = ebook_sales_for_resellers
DEST_KEY = _MetaData:Index
FORMAT = ebook_sales
A finally props.conf :
[analyteacs_sales]
TRANSFORMS-clone_ebook_sales = clone_ebook_sales
tz = Pacific/Fiji
sourcetype=ebook_sales
priority=100
I tried to modify the system's timezone, but the changes aren't effective. Does someone see where it comes from?
Thanks in advance
config files are case sensitive. tz should be TZ
from docs:
TZ = <timezone identifier>
* The algorithm for determining the time zone for a particular event is as
follows:
* If the event has a timezone in its raw text (for example, UTC, -08:00),
use that.
* If TZ is set to a valid timezone string, use that.
* If the event was forwarded, and the forwarder-indexer connection uses
the version 6.0 and higher forwarding protocol, use the timezone provided
by the forwarder.
* Otherwise, use the timezone of the system that is running splunkd.
* Default: empty string
You can also troubleshoot what's being applied or not by using btool. just run:
./splunk btool props list --debug analyteacs_sales
the result is all the attributes for you source type and their location look for TZ and check what is being applied there.
config files are case sensitive. tz should be TZ
from docs:
TZ = <timezone identifier>
* The algorithm for determining the time zone for a particular event is as
follows:
* If the event has a timezone in its raw text (for example, UTC, -08:00),
use that.
* If TZ is set to a valid timezone string, use that.
* If the event was forwarded, and the forwarder-indexer connection uses
the version 6.0 and higher forwarding protocol, use the timezone provided
by the forwarder.
* Otherwise, use the timezone of the system that is running splunkd.
* Default: empty string
You can also troubleshoot what's being applied or not by using btool. just run:
./splunk btool props list --debug analyteacs_sales
the result is all the attributes for you source type and their location look for TZ and check what is being applied there.
After changing "tz" to "TZ" it works.
Splunk CLI is a great tool !
Thanks
What are you trying to accomplish?
I try to change Splunk's system timezone (not the user's timezone) with the following property:
tz = Pacific/Fiji
But it's not taken into account.
Did you refresh or restart your splunk instance after the modifications ?