- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- With IIS logs in GMT and the forwarder, indexer, a...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I have the following setup,
Forwarder
Server (UTC) Dublin, Edinburgh, Lisbon, London and seems to follow daylight savings, server clock 16:19
Logs UTC+0 - 15:19
Indexer & Search Head (UTC) Dublin, Edinburgh, Lisbon, London and seems to follow daylight savings, server clock 16:19
User set to GMT : London - Europe/London
When BST comes around, real-time does not work. What settings do I need to change so that a user in BST will be able to see real-time logs all year round when searching?
All logs seem to be displayed in UTC+0, with the timestamp taken directly from the logs of 15:19, so searching over the last hour brings no results.
All users know the logs are in UTC+0 without daylight saving adjustments but I would like real- time to work in BST..
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You need to add TZ=BST to the props.conf file for that input (host) and send it to all of your indexers and restart the Splunk services there.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You need to add TZ=BST to the props.conf file for that input (host) and send it to all of your indexers and restart the Splunk services there.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the reply.
Just to confirm is this the props.conf on the forwarder or the indexer?
So on the forwarder?
[host::NLDNxxxxDAP]
TZ=BST
The logs on the data collector server are recorded by other software that is UTC+0 but the server clock is '(UTC) Dublin, Edinburgh, Lisbon, London' and seems to follow daylight savings. So Server clock time = 8:29 and Logs on same server recorded as 7:29. The forwarder sits on this server and forwards logs to the indexer.
Even with the above settings, when the logs are forwarded and indexed in Splunk, the _time is identical to that is the raw logs so 7:29, hence real time will not work.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Daniel the props.conf will have to be set up on the indexer not forwarder. They will get adjusted according to your config for the newer entries. you can modify anything for the indexed items or better re-index them.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I do not understand your last sentence but you need to deploy this change to the entity that is doing the indexing which is usually all the indexers (unless you are using a Heavy Forwarder or INDEXED_EXTRACTIONS on a regular forwarder) and then restart all Splunk instances there.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
TZ = Universal solved the issue, you got em o nthe right track! thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
OK, don't forget to "Accept" the answer to close out the question.
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
