Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Specifying timezone by host and sourcetype

grahamkenville
Engager
‎07-31-2012 09:53 AM

We have a sourcetype for /var/log/messages that is logged in the local server time on almost every host.

We have one host, however, which logs /var/log/messages (and some other files) in GMT. The system time on this host is set to the local timezone. This host is sending logs via the universal forwarder.

I understand that I need to probably need to modify props.conf on the Splunk host which is indexing the logs. My question is, how do I specify that I only want sourcetype foo from host bar (and ONLY host bar) to be in GMT?

Can I do something like this?
[source::/var/log/messages AND host::bar]
TZ=GMT

Thanks!

0 Karma
Reply

pshumate
Explorer
‎02-06-2014 10:02 AM

Where do I conf that?
Timestamp is a parse time function and must be done at the indexer. 6.0 helps a bit.

0 Karma
Reply

Takajian
Builder
‎07-31-2012 11:43 PM

Timestamp is recognized when Splunk parse the event. So, you will need to configure appropriate Timezone setting on your universal forwarder with host, not central indexer. Hope this help.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

How to find the worst searches in your Splunk environment and how to fix them

Everyone knows Splunk is a powerful platform for running searches and doing data analytics. Your ...

Share Your Feedback: On Admin Config Service (ACS)!

Help Us Build a Better Admin Config Service Experience (ACS)   We Want Your Feedback on Admin Config Service ...