Getting Data In

timezone setting based on forwarder naming convention?


I'm sure Splunk'rs have ran across this already, so here's my issue.

We have server naming conventions with "D" for DEV, "T" for TEST and "P" for PROD (in the same position of the server name). They reside in different data centers which are in different timezones. How do I set my props.conf to adjust the TZ value based on the naming convention of the host? The log sourcetypes are the same, going to the same index, but I need to adjust the TZ forward/back as these are in different data centers.

Is this setting made with REGEX in the inputs.conf of the app? Or is this done in the props.conf? Confused on exactly where/how to do this.

Thanks in advance!

0 Karma

Esteemed Legend

You just do this in props.conf:

[host:.{number=character count preceding D, T, or P}D.*]
[host:.{number=character count preceding D, T, or P}T.*]
[host:.{number=character count preceding D, T, or P}P.*]
0 Karma