Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: syslog timezone issues
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
My deployment has a bunch of geo-based forwarders, which accept splunk connections, as well as udp/514 syslog for devices that I can't put a lightforwarder on. I've run into a problem with an IBM DataPower XI50 device, where it sends strings with timestamp info like this:
Jul 16 15:04:42
No time zone info, etc. The forwarder seems to assume that it's in PDT (which it is) and adds 7 hours, but again stamps it without the Timezone (based on what I see from "Show source"). So when it gets to the indexer, it converts it yet again, and suddenly, my log entries are 7 hours in the future.
Any ideas how I can fix this (and yes, I have tried to define a "GMT for everything" standard, to no avail)...
Thanks Steve
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Rather than messing more with timezones in props, etc, and realizing that I might have other problems with syslog based timestamps, I decided to just have splunk create the timestamp at arrival time. This solved the problem (and probably just made the rest of my syslog data more consistent. :)).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Steve,
I'm facing same issue , How you fixed it? Thanks Amber
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I just had splunk add the timestamp rather than relying on the the time/timezone of the source.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Rather than messing more with timezones in props, etc, and realizing that I might have other problems with syslog based timestamps, I decided to just have splunk create the timestamp at arrival time. This solved the problem (and probably just made the rest of my syslog data more consistent. :)).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Steve,
First, i am assuming this is a regular (heavy) forwarder? Once the forwarder gets the events, the data it sends is COOKED, which means the indexer should not be changing timestamps around but only accept what the forwarder sends it. (Is the forwarder indexing as well? otherwise how did you determine that the forwarder is using the correct timestamp?)
You seem to have tried using the TZ flag, but have used GMT? If your logs are in PDT time then your props stanza should have TZ = PDT (and not GMT) Where are you placing your props.conf? Forwarder/indexer ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I tried both GMT and PDT in the props.conf (which I place on the forwarders). I should have said that I was making a supposition that it was happening in both places, not that I had confirmed it...
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Index This | What travels the world but is also stuck in place?
Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data
Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...
