Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

monitor file on syslog-ng server contains entries for devices with different timezones

radam2000
Path Finder
‎06-24-2021 04:46 PM

I have a redhat 7.4 syslog-ng server with splunk heavy forwarder(8.1.2)  installed. server is TZ EST

Server collects udp/514 logs from multiple networking devices and writes them to textfiles like ...
/syslogs/todays-internetfirewalls.txt
/syslogs/todays-routers.txt
/syslogs/todays-switches.txt

splunk Heavy Forwarder has data/file monitor inputs for the various text files and are assigned to the appropriate index with the appropriate sourcetype

so some network devices sending udp/514 syslogs to the above server are in different timezones but the entries in the text file written do not adjust for timezones...

example screen attached - In screenshot IP 172.24.63.88 is GMT and 172.24.3.5 is EST

I researched and tried to create an app called Timezones on the HF with a local/props.conf file that just lists...

[host::172.24.63.88]
TZ = GMT

but when file data is ingested the _time for the IP in GMT is same as it appears in the log file entry with no adjustment to bring GMT time to EST time??

any help would be appreciated - I have read several links already and follow a few answers...

https://community.splunk.com/t5/Dashboards-Visualizations/Multiple-Timezones-search-worldwide/td-p/9...

https://community.splunk.com/t5/Getting-Data-In/Multiple-time-zones-in-props-conf/m-p/286456#M54667

https://docs.splunk.com/Documentation/Splunk/latest/admin/propsconf

Rich

Labels (1)
Labels
Tags (1)
Preview file
40 KB
0 Karma
Reply

radam2000
Path Finder
‎06-25-2021 09:05 AM

I also checked out this link...

Specify time zones for timestamps - Splunk Documentation

Rich

Tags (1)
0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...