Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Setting options for host regex not working as expected

cjosephson
Engager
‎07-15-2015 05:36 PM

We have a set of hosts that all begin with the letter 'm' and we want to set DATETIME_CONFIG = CURRENT for them.

If I configure by source, like so, I get the behavior I want (all incoming events relabeled with our local server's TZ):

[source::udp*]
DATETIME_CONFIG = CURRENT

However, if I try to do this based on the hostname instead of the source, it just uses the UTC timestamp the data arrived with.

[host::m*]
DATETIME_CONFIG = CURRENT

I saw this post:
http://answers.splunk.com/answers/138280/timezone-setting-not-working-for-host-set-from-host-regex.h...

So I also tried [host::(m*)], but it had no effect. Why is the host regex setting not behaving as I expect? Even if fully specify a hostname without a wildcard, it won't apply the setting for that host.

0 Karma
Reply

MuS
SplunkTrust
SplunkTrust
‎07-15-2015 05:55 PM

Hi cjosephson,

What is your data like that you are forwarding, is it structured? Because in this case you need to pay attention to this fact here http://docs.splunk.com/Documentation/Splunk/6.2.4/Forwarding/Routeandfilterdatad#Caveats_for_routing...

Otherwise follow the adivse given by @martin_mueller :

cheers, MuS

0 Karma
Reply

cjosephson
Engager
‎07-16-2015 02:58 PM

It is syslog data. The machines send the data straight to our single splunk server (we have no forwarders). Does this count as structured data?

I do realize it would only be valid for new events and that I need to restart. I was using the logger command to generate new events and check the timestamps.

If i use btool, " ./splunk btool check", there is no output, which I assume means success. There are no unusual messages in stdout that appear when I restart splunk either.

0 Karma
Reply

MuS
SplunkTrust
SplunkTrust
‎07-16-2015 03:07 PM

run this:

$SPLUNK_HOME/bin/splunk cmd btool props list --debug

and check if your [host::m*] entry appears and it has the correct settings.

0 Karma
Reply

cjosephson
Engager
‎07-16-2015 03:40 PM

It appears to. I see the /opt/splunk/etc/system/local/props.conf DATETIME_CONFIG = CURRENT
option.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...