All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk DB Connect: How to set correct timezone for Splunk DB Connect feeds?

evelenke
Contributor
‎03-21-2017 01:13 AM

Hi Splunkers,

we have DB with events in UTC which differs from local timezone.
Setting up TZ (timezone) in props.conf for Splunk DB Connect 3.01 sources doesn't work (upd. worked in prev. version)

Here's configuration:

[source::my_source]
TZ = UTC
TIME_FORMAT = %y-%m-%d %H:%M:%S.%3N

I may create a new field with timestamp value needed, but is there any way to convert time of events to correct TZ for Splunk DB Connect?

Reply
1 Solution
Solved! Jump to solution
Solution

chrismewett
Explorer
‎06-20-2017 08:52 PM

On does not simply set a timezone flag in props.conf for dbconnect inputs - the app appears to do timestamping before it gets to props.conf processing.

Add the following to the JVM options in the configuration tab of the DB connect app:
-Duser.timezone=GMT

A challenge with this approach is that it means that all database logs on this forwarder are ingested in GMT/UTC, so if you have different databases logging in different timezones, you'll need a different dbconnect app / forwarder combination for each one.

(Ideally we'd be able to set it on a per connection basis instead of per JVM, but it is not this day).

View solution in original post

Reply
Solved! Jump to solution

anatoliikostin
Explorer
‎05-28-2019 08:04 AM

Time zone can be defined for every connection:
Configuration -> Databases -> Connections -> "your connection" (Timezone dropdown)

It worked for my case where DB has UTC and local user UTC +2.

Reply
Solved! Jump to solution

AnilPujar
Path Finder
‎10-24-2019 12:11 AM

Yes, the timezone is set to Asia/Dubai, but still the data time is 4 hour less.

0 Karma
Reply
Solved! Jump to solution

itrimble1
Path Finder
‎05-31-2019 08:25 AM

What version of Splunk are you using ?

0 Karma
Reply
Solved! Jump to solution

thambisetty
SplunkTrust
SplunkTrust
‎04-02-2018 10:39 AM

@princemanto2580

Logs are logging with GMT. Since I am from GMT+4 added 4 hours to match my local timezone. I believe mcafee logs event with GMT find your timezone and add/substract hours based on your timezone.

————————————
If this helps, give a like below.
0 Karma
Reply
Solved! Jump to solution

princemanto2580
Path Finder
‎04-02-2018 06:13 AM

Hi,

I tried with "SELECT dateadd(HOUR, 4, [EPOEvents].[ReceivedUTC]) as [timestamp]," but still is showing the difference with 4 hours. Can you help on this?

0 Karma
Reply
Solved! Jump to solution
Solution

chrismewett
Explorer
‎06-20-2017 08:52 PM

On does not simply set a timezone flag in props.conf for dbconnect inputs - the app appears to do timestamping before it gets to props.conf processing.

Add the following to the JVM options in the configuration tab of the DB connect app:
-Duser.timezone=GMT

A challenge with this approach is that it means that all database logs on this forwarder are ingested in GMT/UTC, so if you have different databases logging in different timezones, you'll need a different dbconnect app / forwarder combination for each one.

(Ideally we'd be able to set it on a per connection basis instead of per JVM, but it is not this day).

Reply
Solved! Jump to solution

thambisetty
SplunkTrust
SplunkTrust
‎05-23-2017 09:31 AM

Hi Adam,

Thanks for your reqply..
I have gone through the db connect document and modified SQL query. Instead of applying TZ in props.conf

————————————
If this helps, give a like below.
0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎05-23-2017 09:43 AM

You should click Accept on this answer to close the question.

0 Karma
Reply
Solved! Jump to solution

thambisetty
SplunkTrust
SplunkTrust
‎05-23-2017 09:14 PM

Hi,

There is known bug in DB connect. props can't be overridden.

Reference: DB connect release notes: link text

Here is the solution which I have come up with. you can use if you like this.

My McAfee logs in UTC & My Splunk server is running in UTC+4.

I have added below line to query it self.

SELECT dateadd (hour , 4 , [EPOEvents].[ReceivedUTC]) AS [timestamp] from xyz

you can look for sql functions as per your database & I found this is best solution as of now.

————————————
If this helps, give a like below.
0 Karma
Reply
Solved! Jump to solution

abalogh_splunk
Splunk Employee
Splunk Employee
‎05-23-2017 09:03 AM

There is an issue with DBX 3.0.2 that it does not honor props.conf. I have not tested version 3.0.3 yet.

Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎03-21-2017 07:49 AM

This definitely should work. Try deploying this on both your forwarders and your indexers. Starting with v6.0 the Forwarders will pass this setting to the Indexers and the Indexers will honor it. This means you will only have to restart Splunk on your Forwarders. If this doesn't work, then deploy the setting to your Indexers but you will need to restart Splunk on your Indexers to activate it. And even then, only your newly-forwarded events will be modified; the pre-fix events will stay broken forever.

0 Karma
Reply
Solved! Jump to solution

thambisetty
SplunkTrust
SplunkTrust
‎05-23-2017 04:33 AM

Hi,
This is not working.. I tried applying the above mentioned settings in HF and Indexer. but , there is no luck

————————————
If this helps, give a like below.
0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...