Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Specifying timezone by host and sourcetype

grahamkenville
Engager
‎07-31-2012 09:53 AM

We have a sourcetype for /var/log/messages that is logged in the local server time on almost every host.

We have one host, however, which logs /var/log/messages (and some other files) in GMT. The system time on this host is set to the local timezone. This host is sending logs via the universal forwarder.

I understand that I need to probably need to modify props.conf on the Splunk host which is indexing the logs. My question is, how do I specify that I only want sourcetype foo from host bar (and ONLY host bar) to be in GMT?

Can I do something like this?
[source::/var/log/messages AND host::bar]
TZ=GMT

Thanks!

0 Karma
Reply

pshumate
Explorer
‎02-06-2014 10:02 AM

Where do I conf that?
Timestamp is a parse time function and must be done at the indexer. 6.0 helps a bit.

0 Karma
Reply

Takajian
Builder
‎07-31-2012 11:43 PM

Timestamp is recognized when Splunk parse the event. So, you will need to configure appropriate Timezone setting on your universal forwarder with host, not central indexer. Hope this help.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...