Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Are Windows Eventlogs from windows forwarder lacking timezone

gfriedmann
Communicator
‎12-09-2010 10:56 PM

I'm trying to get a configuration going with light forwarders on many windows servers in different timezones.

It appears that a windows light forwarder does not include timezone info with the WinEvenLog input sources.

Has anyone succeeded in sorting out windows eventlog timestamps in such a configuration? Am i crazy and am missing a simple fix? I really don't want to declare the timezone in props.conf for each windows host individually.

Reply
1 Solution
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎12-10-2010 07:13 AM

You are correct. This is a bad flaw in the Splunk Windows input processors. I am surprised I do not see more about this here on answers.splunk.com. Another related flaw is the use of two-digit years, but whatever.

Please file an enhancement request on this. Unfortunately I don't have a solution for you other than to either configure the timezone on the indexers, or to start the Splunk process under the same time zone as the indexers. Neither is a good solution. Another way to fix this would be for the Splunk forwarders to be able to pass the timezone of an input down in the metadata (the way it can pass host, sourcetype, source, index, etc.) But this is also currently impossible.

View solution in original post

Reply
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎12-10-2010 07:13 AM

You are correct. This is a bad flaw in the Splunk Windows input processors. I am surprised I do not see more about this here on answers.splunk.com. Another related flaw is the use of two-digit years, but whatever.

Please file an enhancement request on this. Unfortunately I don't have a solution for you other than to either configure the timezone on the indexers, or to start the Splunk process under the same time zone as the indexers. Neither is a good solution. Another way to fix this would be for the Splunk forwarders to be able to pass the timezone of an input down in the metadata (the way it can pass host, sourcetype, source, index, etc.) But this is also currently impossible.

Reply
Solved! Jump to solution

gfriedmann
Communicator
‎12-10-2010 07:21 PM

Thank you for the confirmation. Maybe managing each non-standard timezone host individually in props.conf isn't the end of the world. I guess i might later run into problems if i collect other logs flatfile inputs that are in UTC on that host but without a timezone. Enhancement request is filed. 🙂

0 Karma
Reply
Solved! Jump to solution

gfriedmann
Communicator
‎12-09-2010 11:54 PM

Additional info: playing with splunkd light forwarder on windows, i see that it sends rawdata with a timestamp reflecting whatever timezone the server was in when splunkd started. For example, changing the server timezone will not immediately change the timestamps logged by splunk.

Maybe it has something to do with the API splunk uses to get Eventlog data. It'd be nice if it included timezone in the forwarded message, though.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...