- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Splunk Time stamp modification
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunk Time stamp modification
Hi Team,
We are in splunk 6.5.
Our forwarder machines are having Brasilia Time zone and our indexer is on UTC time zone.
I have tried updating the below entry on Props.conf file on my forwarders machine.
[test]
SHOULD_LINEMERGE=false
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%f
TIME_PREFIX=^
TZ=America/Sao_Paulo
MAX_TIMESTAMP_LOOKAHEAD=25
Still I can see the indexed events are in UTC time zone in GUI. Please help me here on this issue.
Regards,
Abilan
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We need to see a sample event and your inputs.conf. It would be nice to see transforms.conf, too.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I had the very same issue not so long ago, and the resolution was that the props.conf on the INDEXER needed to have the stanza added, not on the forwarder.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Which also required that I go to this page on the indexer or restart the indexer service.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
good call, dont forget restart! Abilan
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
./splunk btool props list test --debug need the sourcetype on the forwarder and indexer.
EDIT : updated command to reflect different soucretype. as you have it called test now...other thread is sched
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi ,
Thanks again for your help.
I have executed the query on my forwarder. Please find the output below. sourcetype is empty here.
/u01/SplunkCloud/splunkforwarder/etc/apps/search/default/props.conf [scheduler]
/u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf ANNOTATE_PUNCT = True
/u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf AUTO_KV_JSON = true
/u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf BREAK_ONLY_BEFORE =
/u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf BREAK_ONLY_BEFORE_DATE = True
/u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf CHARSET = UTF-8
/u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf DATETIME_CONFIG = /etc/datetime.xml
/u01/SplunkCloud/splunkforwarder/etc/apps/search/default/props.conf EXTRACT-fields = (?i)^(?:[^ ]* ){2}(?:[+-]\d+ )?(?P[^ ]*)\s+(?P[^ ]+) - (?P.+)
/u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf HEADER_MODE =
/u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf LEARN_MODEL = true
/u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf LEARN_SOURCETYPE = true
/u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf LINE_BREAKER_LOOKBEHIND = 100
/u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf MAX_DAYS_AGO = 2000
/u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf MAX_DAYS_HENCE = 2
/u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf MAX_DIFF_SECS_AGO = 3600
/u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf MAX_DIFF_SECS_HENCE = 604800
/u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf MAX_EVENTS = 256
/u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf MAX_TIMESTAMP_LOOKAHEAD = 128
/u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf MUST_BREAK_AFTER =
/u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf MUST_NOT_BREAK_AFTER =
/u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf MUST_NOT_BREAK_BEFORE =
/u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf SEGMENTATION = indexing
/u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf SEGMENTATION-all = full
/u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf SEGMENTATION-inner = inner
/u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf SEGMENTATION-outer = outer
/u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf SEGMENTATION-raw = none
/u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf SEGMENTATION-standard = standard
/u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf SHOULD_LINEMERGE = True
/u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf TRANSFORMS =
/u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf TRUNCATE = 10000
/u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf detect_trailing_nulls = false
/u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf maxDist = 100
/u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf priority =
/u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf sourcetype =
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi ,
correct name is sched. Just for example I have given it as test.
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
