Splunk Enterprise

monitor file on syslog-ng server contains entries for devices with different timezones

radam2000
Path Finder

I have a redhat 7.4 syslog-ng server with splunk heavy forwarder(8.1.2)  installed. server is TZ EST

Server collects udp/514 logs from multiple networking devices and writes them to textfiles like ...
/syslogs/todays-internetfirewalls.txt
/syslogs/todays-routers.txt
/syslogs/todays-switches.txt

splunk Heavy Forwarder has data/file monitor inputs for the various text files and are assigned to the appropriate index with the appropriate sourcetype

so some network devices sending udp/514 syslogs to the above server are in different timezones but the entries in the text file written do not adjust for timezones...

example screen attached - In screenshot IP 172.24.63.88 is GMT and 172.24.3.5 is EST

I researched and tried to create an app called Timezones on the HF with a local/props.conf file that just lists...

[host::172.24.63.88]
TZ = GMT

but when file data is ingested the _time for the IP in GMT is same as it appears in the log file entry with no adjustment to bring GMT time to EST time??

any help would be appreciated - I have read several links already and follow a few answers...

https://community.splunk.com/t5/Dashboards-Visualizations/Multiple-Timezones-search-worldwide/td-p/9...

https://community.splunk.com/t5/Getting-Data-In/Multiple-time-zones-in-props-conf/m-p/286456#M54667

https://docs.splunk.com/Documentation/Splunk/latest/admin/propsconf

Rich

Labels (1)
Tags (1)
0 Karma

radam2000
Path Finder
Tags (1)
0 Karma
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...