Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Are Windows Eventlogs from windows forwarder lacking timezone

gfriedmann
Communicator
‎12-09-2010 10:56 PM

I'm trying to get a configuration going with light forwarders on many windows servers in different timezones.

It appears that a windows light forwarder does not include timezone info with the WinEvenLog input sources.

Has anyone succeeded in sorting out windows eventlog timestamps in such a configuration? Am i crazy and am missing a simple fix? I really don't want to declare the timezone in props.conf for each windows host individually.

Reply
1 Solution
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎12-10-2010 07:13 AM

You are correct. This is a bad flaw in the Splunk Windows input processors. I am surprised I do not see more about this here on answers.splunk.com. Another related flaw is the use of two-digit years, but whatever.

Please file an enhancement request on this. Unfortunately I don't have a solution for you other than to either configure the timezone on the indexers, or to start the Splunk process under the same time zone as the indexers. Neither is a good solution. Another way to fix this would be for the Splunk forwarders to be able to pass the timezone of an input down in the metadata (the way it can pass host, sourcetype, source, index, etc.) But this is also currently impossible.

View solution in original post

Reply
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎12-10-2010 07:13 AM

You are correct. This is a bad flaw in the Splunk Windows input processors. I am surprised I do not see more about this here on answers.splunk.com. Another related flaw is the use of two-digit years, but whatever.

Please file an enhancement request on this. Unfortunately I don't have a solution for you other than to either configure the timezone on the indexers, or to start the Splunk process under the same time zone as the indexers. Neither is a good solution. Another way to fix this would be for the Splunk forwarders to be able to pass the timezone of an input down in the metadata (the way it can pass host, sourcetype, source, index, etc.) But this is also currently impossible.

Reply
Solved! Jump to solution

gfriedmann
Communicator
‎12-10-2010 07:21 PM

Thank you for the confirmation. Maybe managing each non-standard timezone host individually in props.conf isn't the end of the world. I guess i might later run into problems if i collect other logs flatfile inputs that are in UTC on that host but without a timezone. Enhancement request is filed. 🙂

0 Karma
Reply
Solved! Jump to solution

gfriedmann
Communicator
‎12-09-2010 11:54 PM

Additional info: playing with splunkd light forwarder on windows, i see that it sends rawdata with a timestamp reflecting whatever timezone the server was in when splunkd started. For example, changing the server timezone will not immediately change the timestamps logged by splunk.

Maybe it has something to do with the API splunk uses to get Eventlog data. It'd be nice if it included timezone in the forwarded message, though.

0 Karma
Reply
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

REGISTER NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If ...

Observability | Use Synthetic Monitoring for Website Metadata Verification

If you are on Splunk Observability Cloud, you may already have Synthetic Monitoringin your observability ...

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...