Getting Data In

IIS Logs question

carlyleadmin
Contributor

Hey Guys,

i am forwarding iis logs from our web servers.And from what i read so far that people are saying that they've made changes to "props.conf" file and added TZ = whatever time zone they are in to get the right timestamp. i am also having a similar issues.when i look at the logs that are being written on the folder as my local time(EST) but when i open up the logs there is a 5 hour difference.i will also attach some screenshots as well.

so what i did was to create a props.conf file on my forwarder with [iis(my sourcetype)] and TZ= EST(i also tried GMT and UTC ) and restarted the service.also added the props.conf on my indexer as well,some said you need to do the changes on both indexer and forwarder(do i really have to??).but when i get the files it is still off by 5 hours which is (UTC-05:00) Eastern Time (US & Canada).

my question is should i wait for new log file to be created? the changes i've made, will they only impact the new files?

i know there are lot of questions and links on this issue but i am on EST my servers are on the same TZ (EST) but i guess my iss logs are being written in UTC Time format,so do i need to change that setting?did any one have the same issue?

alt text

Thanks,

Tags (1)
0 Karma
1 Solution

sshelly_splunk
Splunk Employee
Splunk Employee

Time is a bit hairy if it's not set correctly when data starts coming in. If you have the appropriate TZ specified in props.conf for your host/sourcetype, than anything coming in from the point the change was made will be "correct". All time math inside of splunk is done in epoch time, and therefore if your data came in, and splunk thought it was in UTC, than they have timestamps for whatever that timestamp is (allowing for TZ) in epoch time. Local TZ specifies how you want the time to be displayed along the "Time" column in the events window. You can change your TZ and see how things change (the "Time" value will change, but the timestamp in the raw events will not.
Sorrry to ramble a bit, but the way I approach it, if working with OS's set in different TZ's, I specify the correct TZ for hosts/sources based on whatever criteria I can align them with. Say you have hostnames starting with "SF" - as an example, meaning, they are in San Fran and some starting with: NY, than I would set the stanza as follows:

[host::SF*]
TZ = PST
or
[host::NY*]
TZ = EST

If they can be split by IP's or some other mechanism, use that. Hope this helps.

View solution in original post

0 Karma

sshelly_splunk
Splunk Employee
Splunk Employee

Time is a bit hairy if it's not set correctly when data starts coming in. If you have the appropriate TZ specified in props.conf for your host/sourcetype, than anything coming in from the point the change was made will be "correct". All time math inside of splunk is done in epoch time, and therefore if your data came in, and splunk thought it was in UTC, than they have timestamps for whatever that timestamp is (allowing for TZ) in epoch time. Local TZ specifies how you want the time to be displayed along the "Time" column in the events window. You can change your TZ and see how things change (the "Time" value will change, but the timestamp in the raw events will not.
Sorrry to ramble a bit, but the way I approach it, if working with OS's set in different TZ's, I specify the correct TZ for hosts/sources based on whatever criteria I can align them with. Say you have hostnames starting with "SF" - as an example, meaning, they are in San Fran and some starting with: NY, than I would set the stanza as follows:

[host::SF*]
TZ = PST
or
[host::NY*]
TZ = EST

If they can be split by IP's or some other mechanism, use that. Hope this helps.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...