Getting Data In

Universal Forwarder - Timezone by sourcetype not working?

alexism
New Member

Just starting out with Splunk recently, still using the free version for now. My Splunk head, indexer & deployment server is on a Linux sever and I'm running a universal forwarder on a Windows 2008 R2 server.

So far so good, I set up a bunch of inputs via a deployment app on the main install and pushed these to the forwarder.

Logs are being picked up as expected, but timestamps are not being handled as I would expect...

All the servers are (for now) set in the same timezone (EST), and most of our logs use the server local time, but for some types of logs the times are in UTC. This cannot be changed as having timestamps in UTC is defined in the protocol we're using for these logs (FIX protocol, if you must know!).

So I configured inputs.conf as:

[monitor://D:\app1\log\oms*.log]
disabled = false
index = default
sourcetype = Test.OMS

[monitor://D:\app1\log\feed*.log]
disabled = false
index = default
sourcetype = Test.Feed

######## FIX ########
[monitor://D:\app1\log\FIX\*.messages.current.log]
disabled = false
index = default
sourcetype = Test.FixMessages

[monitor://D:\app1\log\FIX\*.event.current.log]
disabled = false
index = default
sourcetype = Test.FixEvents

And props.conf:

[Test.FixMessages]
TZ=GMT

[Test.FixEvents]
TZ=GMT

I have checked the local configs that the forwarder has received from the deployment server and they agree with the above. But when I search for these events in Splunk their times are shifted by 5 hours - the timestamp seems to have been parsed as EST and sequencing of events (as compared to other log files which are EST) gets all weird and funky.

What am I missing here?

Thanks
-Alex

0 Karma

alexism
New Member

Ok, I've just answered my own question... I never considered putting the TZ parameters in props.conf on the Linux main server itself. Doing that worked. I think I'm still a bit confused as to what configuration applies at which time and in what priority...

Question now should be rephrased as - is this the correct approach, or is there a "better" way? I'd prefer to have all settings inside the deployment app I have rather than some in the app and some on the server itself...

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...