Getting Data In

syslog timezone issues

Steve_Litras
Path Finder

My deployment has a bunch of geo-based forwarders, which accept splunk connections, as well as udp/514 syslog for devices that I can't put a lightforwarder on. I've run into a problem with an IBM DataPower XI50 device, where it sends strings with timestamp info like this:

Jul 16 15:04:42

No time zone info, etc. The forwarder seems to assume that it's in PDT (which it is) and adds 7 hours, but again stamps it without the Timezone (based on what I see from "Show source"). So when it gets to the indexer, it converts it yet again, and suddenly, my log entries are 7 hours in the future.

Any ideas how I can fix this (and yes, I have tried to define a "GMT for everything" standard, to no avail)...

Thanks Steve

Tags (2)
0 Karma
1 Solution

Steve_Litras
Path Finder

Rather than messing more with timezones in props, etc, and realizing that I might have other problems with syslog based timestamps, I decided to just have splunk create the timestamp at arrival time. This solved the problem (and probably just made the rest of my syslog data more consistent. :)).

View solution in original post

0 Karma

ambermeh
New Member

Hi Steve,

I'm facing same issue , How you fixed it? Thanks Amber

0 Karma

Steve_Litras
Path Finder

I just had splunk add the timestamp rather than relying on the the time/timezone of the source.

0 Karma

Steve_Litras
Path Finder

Rather than messing more with timezones in props, etc, and realizing that I might have other problems with syslog based timestamps, I decided to just have splunk create the timestamp at arrival time. This solved the problem (and probably just made the rest of my syslog data more consistent. :)).

View solution in original post

0 Karma

Genti
Splunk Employee
Splunk Employee

Steve,
First, i am assuming this is a regular (heavy) forwarder? Once the forwarder gets the events, the data it sends is COOKED, which means the indexer should not be changing timestamps around but only accept what the forwarder sends it. (Is the forwarder indexing as well? otherwise how did you determine that the forwarder is using the correct timestamp?)

You seem to have tried using the TZ flag, but have used GMT? If your logs are in PDT time then your props stanza should have TZ = PDT (and not GMT) Where are you placing your props.conf? Forwarder/indexer ?

Steve_Litras
Path Finder

I tried both GMT and PDT in the props.conf (which I place on the forwarders). I should have said that I was making a supposition that it was happening in both places, not that I had confirmed it...

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!