Security

UTC to Local Time zone conversion on the fly. Splunk for Bluecoat

ageld
Path Finder

Dear splunk ninjas,

I would highly appreciate if you suggest a solution to my problem. I have recently installed Splunk for BlueCoat Application. Since I have BlueCoat proxies in various time zones, I have no problem with logs being reported in UTC format. However, I would like all reports and searches to be compiled for EST timezone. Splunk server is in EST time zone. Is there a way to pre-process incoming logs to convert them to EST or modify the App somehow to do that conversion while calculating reports or searches?

Thanks in advance.

Tags (1)
1 Solution

ageld
Path Finder

Actually setting time-zone on per-source basis did not work. I had to do it for each host:

[host::192.168.1.1] TZ = UTC [host::192.168.2.1] TZ = UTC [host::192.168.3.1] TZ = UTC [host::192.168.4.1] TZ = UTC [host::192.168.5.1] TZ = UTC

View solution in original post

0 Karma

mcbradford
Contributor

Exactly what files in what location are you modifying and for each file what are you putting in each file?

I cannot get this to work???

It sounds like you are saying change both the est, but what is the example beneath your explanation? Is this what is was?

Also - is default the same as 30000 ?

I saw in another post source for BC was bcoat_proxysg

per ... http://splunk-base.splunk.com/answers/23395/could-someone-provide-some-tips-and-tricks-to-configure-...

But this would not work either????

ageld
Path Finder

Actually setting time-zone on per-source basis did not work. I had to do it for each host:

[host::192.168.1.1] TZ = UTC [host::192.168.2.1] TZ = UTC [host::192.168.3.1] TZ = UTC [host::192.168.4.1] TZ = UTC [host::192.168.5.1] TZ = UTC

0 Karma

ageld
Path Finder

The problem was fixed by configuring main props.conf and the one under SplunkforBlueCoat application. The main was set up with TZ = US/Eastern, the one under SplunkforBlueCoat was set up with TZ = US/Eastern for each input:

[source::30000] TZ = UTC

[source::34001] TZ = UTC

There might be better way of doing it, but it worked for me. Thanks gkanapathy for pointing me to the right direction.

landen99
Motivator

That appears incorrect. Those settings are telling Splunk that the time being reported by those sources are in UTC, but you are telling us that the correct TZ for those servers is EST. After Splunk understands the correct TZ of the time being logged, the times are converted automatically to UTC and recorded with each event as _time. The client then pulls _time at search time and converts it to the TZ you set in your profile.

If the server reports in EST and you tell Splunk that it is really UTC (+0 offset), then it is recorded without any changes. If your client is set to UTC, then the time is displayed exactly as it was recorded (again +0 offset) .. in EST even though your profile is set to UTC.

It only appears to work because you are using two +0 offsets in a row to display time logged in the same TZ as you. Splunk clients set to any other TZ will produce incorrect times, and technically even your UTC client displays incorrectly because it is showing EST instead of UTC. Setting your client to EST will likely show +10 offset somewhere in the Pacific Ocean, because it will offset +5 from your EST time as if it were the UTC time.

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

All time is stored as UTC, so you should never do any "pre-processing" to convert it. You should always figure out what the time is, store it correctly as the actual time, and then display the time according the desired output time zone.

So, what you need to do is make sure that Splunk knows what time zone the incoming data is in. If it's not otherwise specified (in the event data or in props.conf config) Splunk assumes that the data is in the indexer time zone. It sounds like you need to fix your Splunk configuration to make sure this is correct.

Times are formatted according to time zone of the search head upon display. Currently, there is no way to have a single search head instance show different time zones. However, you could use multiple different search heads configured to different time zones to display results using different zones.

Get Updates on the Splunk Community!

Splunk Edge Processor | Popular Use Cases to Get Started with Edge Processor

Splunk Edge Processor offers more efficient, flexible data transformation – helping you reduce noise, control ...

Introducing New Splunkbase Governance!

Splunk apps are essential for maximizing the value of your Splunk Experience. Whether you’re using the default ...

3 Ways to Make OpenTelemetry Even Better

My role as an Observability Specialist at Splunk provides me with the opportunity to work with customers of ...