Getting Data In

props.conf not effective

juleserror
Engager

Hi, this issue has been mentioned here before but still my changes in props.conf are not effective.
Here is the configuration I'm using :

Inputs.conf :

[default]
host = bb1322454b5f
sourcetype=analyteacs_sales
source=splunk:8088

Transforms.conf :

[clone_ebook_sales]

REGEX            = (?s).*
CLONE_SOURCETYPE = ebook_sales_for_resellers
DEST_KEY         = _MetaData:Index
FORMAT           = ebook_sales

A finally props.conf :

[analyteacs_sales]
TRANSFORMS-clone_ebook_sales = clone_ebook_sales
tz = Pacific/Fiji
sourcetype=ebook_sales
priority=100

I tried to modify the system's timezone, but the changes aren't effective. Does someone see where it comes from?

Thanks in advance

0 Karma
1 Solution

diogofgm
SplunkTrust
SplunkTrust

config files are case sensitive. tz should be TZ

from docs:

TZ = <timezone identifier>
* The algorithm for determining the time zone for a particular event is as
  follows:
  * If the event has a timezone in its raw text (for example, UTC, -08:00),
  use that.
  * If TZ is set to a valid timezone string, use that.
  * If the event was forwarded, and the forwarder-indexer connection uses
  the version 6.0 and higher forwarding protocol, use the timezone provided
  by the forwarder.
  * Otherwise, use the timezone of the system that is running splunkd.
* Default: empty string

You can also troubleshoot what's being applied or not by using btool. just run:

./splunk btool props list --debug analyteacs_sales

the result is all the attributes for you source type and their location look for TZ and check what is being applied there.

------------
Hope I was able to help you. If so, some karma would be appreciated.

View solution in original post

diogofgm
SplunkTrust
SplunkTrust

config files are case sensitive. tz should be TZ

from docs:

TZ = <timezone identifier>
* The algorithm for determining the time zone for a particular event is as
  follows:
  * If the event has a timezone in its raw text (for example, UTC, -08:00),
  use that.
  * If TZ is set to a valid timezone string, use that.
  * If the event was forwarded, and the forwarder-indexer connection uses
  the version 6.0 and higher forwarding protocol, use the timezone provided
  by the forwarder.
  * Otherwise, use the timezone of the system that is running splunkd.
* Default: empty string

You can also troubleshoot what's being applied or not by using btool. just run:

./splunk btool props list --debug analyteacs_sales

the result is all the attributes for you source type and their location look for TZ and check what is being applied there.

------------
Hope I was able to help you. If so, some karma would be appreciated.

juleserror
Engager

After changing "tz" to "TZ" it works.
Splunk CLI is a great tool !

Thanks

0 Karma

richgalloway
SplunkTrust
SplunkTrust

What are you trying to accomplish?

---
If this reply helps you, Karma would be appreciated.
0 Karma

juleserror
Engager

I try to change Splunk's system timezone (not the user's timezone) with the following property:

tz = Pacific/Fiji

But it's not taken into account.

0 Karma

Kawtar
Path Finder

Did you refresh or restart your splunk instance after the modifications ?

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...