Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can I set a timezone for a specific sourcetytpe?

kteng2024
Path Finder
‎09-01-2017 12:48 PM

How to specify a particular timezone for specific sourcetype? I found the below format the other Splunk question. Can I place it in the inputs.conf? Can two same source types have different timezone?

[yourSourcetype]
TZ = TZvalueForYourEventTimestamps

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎09-01-2017 01:31 PM

The TZ attribute goes in the props.conf file in the appropriate sourcetype stanza. A given sourcetype can have only one time zone specifier, but the data itself can specify a time zone as part of the timestamp for each event. IOW, if you set TZ = EST events can still have '2017-09-01 16:30:00Z' to indicate a UTC timestamp.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎09-02-2017 08:50 AM

You can have as many TZ= definitions as you like but ONLY in props.conf (not inputs.conf). You can even override the default ASCII-ordering precedence (within a particular spec) using the priority argument. Beware of spec precedence:

**[] stanza precedence:**
For settings that are specified in multiple categories of matching [] stanzas, [host::] settings override [] settings.
Additionally, [source::] settings override both [host::] and [] settings.

So if your sourcetype setting is not working, a host or source setting may be overriding it.

Typically we use host spec for TZ= settings, frequently with wildcards and heavy use of priority.

0 Karma
Reply
Solved! Jump to solution

kteng2024
Path Finder
‎09-05-2017 01:24 PM

thank you for the reply. I am using the below config on the forwarder but i don't see time being converted to UTC when i run the search. i also restarted the splunkd.

Index i on EDT
forwarder is on EDT
application is writing logs in UTC

[sourcetype::webserver_log]
TZ=UTC

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎09-06-2017 07:32 PM

What is your inputs.conf configuration and do your events have a date_zone field?

0 Karma
Reply
Solved! Jump to solution

DalJeanis
Legend
‎09-01-2017 01:32 PM

If you want to use the same sourcetype, and the time zone is not explicit, how should the computer be able to tell the difference, from the content of the records?

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎09-01-2017 01:31 PM

The TZ attribute goes in the props.conf file in the appropriate sourcetype stanza. A given sourcetype can have only one time zone specifier, but the data itself can specify a time zone as part of the timestamp for each event. IOW, if you set TZ = EST events can still have '2017-09-01 16:30:00Z' to indicate a UTC timestamp.

---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...