Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can I set a timezone for a specific sourcetytpe?

kteng2024
Path Finder
‎09-01-2017 12:48 PM

How to specify a particular timezone for specific sourcetype? I found the below format the other Splunk question. Can I place it in the inputs.conf? Can two same source types have different timezone?

[yourSourcetype]
TZ = TZvalueForYourEventTimestamps

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎09-01-2017 01:31 PM

The TZ attribute goes in the props.conf file in the appropriate sourcetype stanza. A given sourcetype can have only one time zone specifier, but the data itself can specify a time zone as part of the timestamp for each event. IOW, if you set TZ = EST events can still have '2017-09-01 16:30:00Z' to indicate a UTC timestamp.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎09-02-2017 08:50 AM

You can have as many TZ= definitions as you like but ONLY in props.conf (not inputs.conf). You can even override the default ASCII-ordering precedence (within a particular spec) using the priority argument. Beware of spec precedence:

**[] stanza precedence:**
For settings that are specified in multiple categories of matching [] stanzas, [host::] settings override [] settings.
Additionally, [source::] settings override both [host::] and [] settings.

So if your sourcetype setting is not working, a host or source setting may be overriding it.

Typically we use host spec for TZ= settings, frequently with wildcards and heavy use of priority.

0 Karma
Reply
Solved! Jump to solution

kteng2024
Path Finder
‎09-05-2017 01:24 PM

thank you for the reply. I am using the below config on the forwarder but i don't see time being converted to UTC when i run the search. i also restarted the splunkd.

Index i on EDT
forwarder is on EDT
application is writing logs in UTC

[sourcetype::webserver_log]
TZ=UTC

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎09-06-2017 07:32 PM

What is your inputs.conf configuration and do your events have a date_zone field?

0 Karma
Reply
Solved! Jump to solution

DalJeanis
Legend
‎09-01-2017 01:32 PM

If you want to use the same sourcetype, and the time zone is not explicit, how should the computer be able to tell the difference, from the content of the records?

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎09-01-2017 01:31 PM

The TZ attribute goes in the props.conf file in the appropriate sourcetype stanza. A given sourcetype can have only one time zone specifier, but the data itself can specify a time zone as part of the timestamp for each event. IOW, if you set TZ = EST events can still have '2017-09-01 16:30:00Z' to indicate a UTC timestamp.

---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...