how to get the timezone of the logs set in props f...

deepthi5 · ‎01-24-2017

Hi team,

I have catalina logs ocming to splunk from Central timezone
But my splunk server is installed and configured in Eastern time Zone

Time

Event

1/24/17
4:12:55.911 AM

2017-01-24T 03:12:55.911-0600: 3331438.505: Total time for which application threads were stopped: 0.0008767 seconds, Stopping threads took: 0.000219

This is how splunk is generating the events with one hour ahead the time specified in logs my sample props.conf file

[cfs_galaxy_dpsdao_catalina_st]
TIME_FORMAT = %H:%M:%S,%3N
MAX_TIMESTAMP_LOOKAHEAD = 12
NO_BINARY_CHECK = 1
pulldown_type = 1
SHOULD_LINEMERGE=true
BREAK_ONLY_BEFORE =^\d+:\d{2}:\d{2}\,\d{3}
TZ = CST6CDT

gcusello · ‎01-24-2017

Hi deepthi5,
see https://docs.splunk.com/Documentation/Splunk/6.5.1/Admin/Propsconf

TZ = <timezone identifier>
* The algorithm for determining the time zone for a particular event is as follows:
* If the event has a timezone in its raw text (for example, UTC, -08:00),  use that.
* If TZ is set to a valid timezone string, use that.
* If the event was forwarded, and the forwarder-indexer connection is using the 6.0+ forwarding protocol, use the timezone provided by the forwarder.
* Otherwise, use the timezone of the system that is running splunkd.
* Defaults to empty.

or at https://docs.splunk.com/Documentation/Splunk/6.5.1/Data/Applytimezoneoffsetstotimestamps

The Zoneinfo database is at https://en.wikipedia.org/wiki/List_of_tz_database_time_zones

Bye.
Giuseppe

how to get the timezone of the logs set in props file

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!