Getting Data In

props.conf not effective

juleserror
Engager

Hi, this issue has been mentioned here before but still my changes in props.conf are not effective.
Here is the configuration I'm using :

Inputs.conf :

[default]
host = bb1322454b5f
sourcetype=analyteacs_sales
source=splunk:8088

Transforms.conf :

[clone_ebook_sales]

REGEX            = (?s).*
CLONE_SOURCETYPE = ebook_sales_for_resellers
DEST_KEY         = _MetaData:Index
FORMAT           = ebook_sales

A finally props.conf :

[analyteacs_sales]
TRANSFORMS-clone_ebook_sales = clone_ebook_sales
tz = Pacific/Fiji
sourcetype=ebook_sales
priority=100

I tried to modify the system's timezone, but the changes aren't effective. Does someone see where it comes from?

Thanks in advance

0 Karma
1 Solution

diogofgm
SplunkTrust
SplunkTrust

config files are case sensitive. tz should be TZ

from docs:

TZ = <timezone identifier>
* The algorithm for determining the time zone for a particular event is as
  follows:
  * If the event has a timezone in its raw text (for example, UTC, -08:00),
  use that.
  * If TZ is set to a valid timezone string, use that.
  * If the event was forwarded, and the forwarder-indexer connection uses
  the version 6.0 and higher forwarding protocol, use the timezone provided
  by the forwarder.
  * Otherwise, use the timezone of the system that is running splunkd.
* Default: empty string

You can also troubleshoot what's being applied or not by using btool. just run:

./splunk btool props list --debug analyteacs_sales

the result is all the attributes for you source type and their location look for TZ and check what is being applied there.

------------
Hope I was able to help you. If so, an upvote would be appreciated.

View solution in original post

diogofgm
SplunkTrust
SplunkTrust

config files are case sensitive. tz should be TZ

from docs:

TZ = <timezone identifier>
* The algorithm for determining the time zone for a particular event is as
  follows:
  * If the event has a timezone in its raw text (for example, UTC, -08:00),
  use that.
  * If TZ is set to a valid timezone string, use that.
  * If the event was forwarded, and the forwarder-indexer connection uses
  the version 6.0 and higher forwarding protocol, use the timezone provided
  by the forwarder.
  * Otherwise, use the timezone of the system that is running splunkd.
* Default: empty string

You can also troubleshoot what's being applied or not by using btool. just run:

./splunk btool props list --debug analyteacs_sales

the result is all the attributes for you source type and their location look for TZ and check what is being applied there.

------------
Hope I was able to help you. If so, an upvote would be appreciated.

View solution in original post

juleserror
Engager

After changing "tz" to "TZ" it works.
Splunk CLI is a great tool !

Thanks

0 Karma

richgalloway
SplunkTrust
SplunkTrust

What are you trying to accomplish?

---
If this reply helps you, an upvote would be appreciated.
0 Karma

juleserror
Engager

I try to change Splunk's system timezone (not the user's timezone) with the following property:

tz = Pacific/Fiji

But it's not taken into account.

0 Karma

Kawtar
Path Finder

Did you refresh or restart your splunk instance after the modifications ?

0 Karma
Take the 2021 Splunk Career Survey

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!