Getting Data In

If multiple hosts, in different time zones, are sending logs to Splunk . In that case how to configure Timezone props.conf for the hosts individually.

ranjyotiprakash
Communicator

If multiple hosts, in different time zones, are sending logs to Splunk . In that case how to configure Timezone props.conf for the hosts individually.

I am using in props.conf

[source::tcp:514]
TZ=America/Los_Angeles

But, how to configure if there are two or more hosts in different timezones ?

Thanks..

Tags (3)
1 Solution

Drainy
Champion

Have a look at this question just below yours;
http://splunk-base.splunk.com/answers/52227/multiple-timezones-search-worldwide

It covers how to configure the TZ on a per host basis.

View solution in original post

Drainy
Champion

Have a look at this question just below yours;
http://splunk-base.splunk.com/answers/52227/multiple-timezones-search-worldwide

It covers how to configure the TZ on a per host basis.

Drainy
Champion

It can also completely mess with your timestamping if events are subject to network delays or processing delays. You really need to fix the timezone issue and let Splunk figure out your correct timestamp.

0 Karma

sowings
Splunk Employee
Splunk Employee

Note that using DATETIME_CONFIG = CURRENT sets the event time to the current time, on the indexer, when the event arrives, regardless of the time stamp in the event itself. It can produce confusing results for batch-style inputs.

0 Karma

ranjyotiprakash
Communicator

I have used
[source::tcp*]
DATETIME_CONFIG = CURRENT
in props.conf.
works fine with any timezone. Is this correct to use ?

0 Karma

Drainy
Champion

Ok, I would suspect it relates to the problem I mention in the other answer about the order that Splunk applies transforms. Have you tried using a more definite TZ such as GMT, CST or whatever LA falls into? Also note it will only affect your newly indexed data and that Splunk will then adjust the timestamp you see based on your timezone defined for your user in the account section in manager

0 Karma

ranjyotiprakash
Communicator

Hi Drainy,

I saw the link posted by you.
My logs are of this format :

<134>Jul 5 04:01:27 barracuda "-" TR 10.11.144.25 80 10.11.144.25 49740 "-" "-" GET HTTP 10.11.144.25 HTTP/1.0 200 1335 118 SERVER PROFILED PASSIVE VALID /index.html 10.11.144.25 49740

and i am using
[host::barracuda]
TZ=America/Los_Angeles

But, I don't know why it's not working.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...