Splunk Search

How to monitor logs from Different Time Zones?

sarahnazzar
Explorer

Hello Splunkers!

Initially I added the monitor stanza for all the inputs from various time zones and then when I had a check there was difference _time and the time present in the event and there was a lag by 1 or 2 hours based on that country's time zone and Splunk time zone, then figured out the it is because Splunk looks for a timestamp in the event and parse the data. Now , I need to monitor logs being received from different time zones from various countries and Splunk is in different time zone, can you please drop in your knowledge on this please.

When investigated, found that we can add the below as false as per https://docs.splunk.com/Documentation/Splunk/8.2.6/Admin/Propsconf 

BREAK_ONLY_BEFORE_DATE = <boolean>
DATETIME_CONFIG = NONE

  And could see that there are options to define the time zones using TZ. Can anyone help me out please!

 

Example: 
My source:

test.csv 
SYSTEMDATE,SYSTEMTIME,FAILUREMESSAGE

"2022-05-04","12.51.08", The JobA has failed

"2022-05-04","13.00.05", The JobB has failed

Data reflecting in Splunk UI:

Time
Event
04/05/2022
12:51:03.000
SYSTEMDATE,SYSTEMTIME,FAILUREMESSAGE
04/05/2022
11:51:08.000
"2022-05-04","14.51.08",The JobA has failed
04/05/2022
12:00:05.000
"2022-05-04","13.00.05",The JobB has failed

 

Only the below event is reflecting at the current time when the job is triggered from Application end which is the correct one since the below has no timestamp defined.

04/05/2022
12:51:03.000
SYSTEMDATE,SYSTEMTIME,FAILUREMESSAGE

 

Source time zone: Various Countries like Italy, Romania, Cyprus etc.,

Destination/Splunk Time Zone: BST

 

Many thanks!

Sarah

Labels (1)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

Yes, by "correct time zone" I mean the one configured.

You should be able to use TZ=EET or TZ=Europe/Bucharest in props.conf.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma

richgalloway
SplunkTrust
SplunkTrust

For each forwarder that is sending these logs, add a TZ setting to the appropriate props.conf stanza. The forwarder will tell the indexers the correct time zone to use.

---
If this reply helps you, Karma would be appreciated.
0 Karma

sarahnazzar
Explorer

@richgalloway Thanks for your response!

Correct Time zone in the sense it will be using the timezone configured in Splunk right i.e., BST current time when the data comes in.

For example if the time zone is of Romania then will TZ = EET work under that particular sourcetype's props.conf

[jobcsv]

TZ = EET

Had a check in TZ database but couldn't find the same, can you please help me out?

https://en.m.wikipedia.org/wiki/List_of_tz_database_time_zones 

 

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Yes, by "correct time zone" I mean the one configured.

You should be able to use TZ=EET or TZ=Europe/Bucharest in props.conf.

---
If this reply helps you, Karma would be appreciated.
0 Karma

sarahnazzar
Explorer

@richgalloway  Many thanks that worked!! 😊

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...