Hi Team,
We are in splunk 6.5.
Our forwarder machines are having Brasilia Time zone and our indexer is on UTC time zone.
I have tried updating the below entry on Props.conf file on my forwarders machine.
[test]
SHOULD_LINEMERGE=false
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%f
TIME_PREFIX=^
TZ=America/Sao_Paulo
MAX_TIMESTAMP_LOOKAHEAD=25
Still I can see the indexed events are in UTC time zone in GUI. Please help me here on this issue.
Regards,
Abilan
We need to see a sample event and your inputs.conf
. It would be nice to see transforms.conf
, too.
I had the very same issue not so long ago, and the resolution was that the props.conf on the INDEXER needed to have the stanza added, not on the forwarder.
Which also required that I go to this page on the indexer or restart the indexer service.
good call, dont forget restart! Abilan
./splunk btool props list test --debug
need the sourcetype on the forwarder and indexer.
EDIT : updated command to reflect different soucretype. as you have it called test now...other thread is sched
Hi ,
Thanks again for your help.
I have executed the query on my forwarder. Please find the output below. sourcetype is empty here.
/u01/SplunkCloud/splunkforwarder/etc/apps/search/default/props.conf [scheduler]
/u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf ANNOTATE_PUNCT = True
/u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf AUTO_KV_JSON = true
/u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf BREAK_ONLY_BEFORE =
/u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf BREAK_ONLY_BEFORE_DATE = True
/u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf CHARSET = UTF-8
/u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf DATETIME_CONFIG = /etc/datetime.xml
/u01/SplunkCloud/splunkforwarder/etc/apps/search/default/props.conf EXTRACT-fields = (?i)^(?:[^ ]* ){2}(?:[+-]\d+ )?(?P[^ ]*)\s+(?P[^ ]+) - (?P.+)
/u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf HEADER_MODE =
/u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf LEARN_MODEL = true
/u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf LEARN_SOURCETYPE = true
/u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf LINE_BREAKER_LOOKBEHIND = 100
/u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf MAX_DAYS_AGO = 2000
/u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf MAX_DAYS_HENCE = 2
/u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf MAX_DIFF_SECS_AGO = 3600
/u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf MAX_DIFF_SECS_HENCE = 604800
/u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf MAX_EVENTS = 256
/u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf MAX_TIMESTAMP_LOOKAHEAD = 128
/u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf MUST_BREAK_AFTER =
/u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf MUST_NOT_BREAK_AFTER =
/u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf MUST_NOT_BREAK_BEFORE =
/u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf SEGMENTATION = indexing
/u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf SEGMENTATION-all = full
/u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf SEGMENTATION-inner = inner
/u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf SEGMENTATION-outer = outer
/u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf SEGMENTATION-raw = none
/u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf SEGMENTATION-standard = standard
/u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf SHOULD_LINEMERGE = True
/u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf TRANSFORMS =
/u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf TRUNCATE = 10000
/u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf detect_trailing_nulls = false
/u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf maxDist = 100
/u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf priority =
/u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf sourcetype =
Hi ,
correct name is sched. Just for example I have given it as test.