Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Overriding TZ for source

mikelanghorst
Motivator
‎04-09-2012 04:00 PM

I have a JBoss/Tomcat access log that has an incorrect Timezone configuration, causing Splunk to set the time to an hour ahead.

172.21.138.35 - - [09/Apr/2012:15:51:56.783 -0800] "HEAD /index.html HTTP/1.1" 200 0

The server is correctly set at PDT, but something is setting this log to stay at -0800. The developer isn't sure where this is set, and would take some time to correct even when we do find the location. How do I properly change the time for this source? It occurs on several hosts (dev/test/staging/production), but only for this source file.

I've set props.conf on the indexer to:
[source::/my/app/path/localhost_access*]
TZ=PDT

Is this incorrect? It didn't change the behavior and I verified with btool that it's in effect.

Tags (1)
Reply

woodcock
Esteemed Legend
‎06-28-2015 08:48 PM

You should be able to use TZ_ALIAS like this:

TZ_ALIAS=-0800=PDT
0 Karma
Reply

dwaddle
SplunkTrust
SplunkTrust
‎04-09-2012 05:27 PM

Some additional things worth trying:

First, set an explicit TIME_FORMAT and MAX_TIMESTAMP_LOOKAHEAD in addition to a TZ for this source. Make the TIME_FORMAT and MAX_TIMESTAMP_LOOKAHEAD explicitly ignore the "-0800" bit, preferably by setting MAX_TIMESTAMP_LOOKAHEAD small enough to where the "-0800" part isn't considered.

If that doesn't work, as hideous as it is you could filter out the "-0800" using a SEDCMD. (I really hope it doesn't come to this)

Reply

mikelanghorst
Motivator
‎04-10-2012 08:22 AM

Used the data import function on my local instance to set this up. Looks like this will be the answer.

0 Karma
Reply

ChrisG
Splunk Employee
Splunk Employee
‎04-09-2012 04:26 PM

Splunk uses zoneinfo TZ database values (see http://docs.splunk.com/Documentation/Splunk/4.3.1/data/Applytimezoneoffsetstotimestamps and http://en.wikipedia.org/wiki/List_of_zoneinfo_timezones ). Did you try US/Pacific for the TZ value?

Reply

mikelanghorst
Motivator
‎04-09-2012 04:31 PM

Yes, I just tried TZ=US/Pacific, but no change.

» 4/9/12
5:29:41.000 PM

[09/Apr/2012:16:29:41 -0800] 172.27.140.119 user1 - HTTP/1.1 POST 200 8969 98 /app/unitSubstitution/loadJSON

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...