Solved: change extracted event timezone

davidepala · ‎02-10-2018

Hi guys
i've a scritpt on a linux forwarder to monitor a load balancer, it's log is a txt file in UTC format, i need to set the time zone to europe/rome, to do this i've setup props.conf on indexer as show below

[source::NSowa]
TZ = Europe/Rome

the result is the same

as you can see event without timestam are logged with the correct time, the time extraction is wrong.

davidepala · ‎02-13-2018

Solved .... the time zone must be the TZ of the SOURCE .... in my case W3C log are always UTC, using TZ = UTC i've solved the problem

View solution in original post

davidepala · ‎02-13-2018

Solved .... the time zone must be the TZ of the SOURCE .... in my case W3C log are always UTC, using TZ = UTC i've solved the problem

davidepala · ‎02-11-2018

here is the screenshot with source as selected field

ddrillic · ‎02-11-2018

Based on this screen-shot, these two events don't seem be of source = NSowa. You see, source is not listed below the event, only host...

davidepala · ‎02-11-2018

tnx ddrillic, the source is correct, i don't know why but i've hosted a new screenshot on imgur but the forum don't show it ... i've post a new reply in the main thread with screenshot

davidepala · ‎02-11-2018

i've read the documentation, I read about the TZ parameter there ... where i'm wrong?

micahkemp · ‎02-11-2018

My apologies, I didn't see the props.conf snippet you posted. I read this as a general "how do I use TZ in Splunk" question. @ddrillic's comment seems to identify at least one issue with this configuration.

micahkemp · ‎02-10-2018

Consult the documentation for instruction on setting the timezone correctly.

klopez30 · ‎02-12-2018

I downvoted this post because this isn't a very helpful comment. telling someone to just read the documentation doesn't help someone find what they're looking for to become better.

493669 · ‎02-12-2018

We should not be trying to discourage people from posting answers..down votes are for completely wrong answers/bad advice

micahkemp · ‎02-12-2018

I get the reasoning behind the downvote. I think it's the type of post that should potentially be downvoted (when it an answer is purposely unhelpful, etc). In this case I simply misunderstood the question, and apologized to the asker prior to the downvote.

When I posted the answer, a pointer to the correct documentation seemed like the best place to start, due to my missing the details in the question about already having attempted to implement the configs.

All in all, it was a reasonable consideration to downvote.

micahkemp · ‎02-12-2018

As I responded in a previous comment, it seemed to be a general "how do I configure timezones to work" question. As such, I linked to the documentation in my answer.

change extracted event timezone

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes