Getting Data In

How do I extract a timezone from the event?

ankithreddy777
Contributor

I have events which have timezone field whose values are UTC, America/chicago, etc.
How can I map these timezones to standard time zone.
I tried to use TZ_ALIAS, But string "America/Chicago" string should be mapped to CST/CDT based on daylight savings.

Is there any possibility to handle such situations?

0 Karma

jkat54
SplunkTrust
SplunkTrust

Generally speaking (with exception of singapore last i checked, probably more), the codes on this page work when used with TZ setting in props.conf

https://en.wikipedia.org/wiki/List_of_tz_database_time_zones

Note, since _time extraction occurs at index time (or before sending to indexers if you're using INDEXED_EXTRACTIONS and a TIMESTAMP_FIELDS settings), the data will have to be reloaded for the changes to be seen. Also, the props should be on the indexers or first heavy forwarder the data flows through (again unless using INDEXED_EXTRACTIONS).

So first i would try American/Chicago (CaSeSenstivity Unknown), then i would try Central, then I would try the deprecated US/Central. It all else fails read the excerpt from props.conf.spec here and see if that answers any questions. Also, let know your configuration so we can be more specific, and if you dont mind sharing a sample timestamp from an event, we can help further.

TZ = <timezone identifier>
* The algorithm for determining the time zone for a particular event is as
  follows:
* If the event has a timezone in its raw text (for example, UTC, -08:00),
  use that.
* If TZ is set to a valid timezone string, use that.
* If the event was forwarded, and the forwarder-indexer connection is using
  the 6.0+ forwarding protocol, use the timezone provided by the forwarder.
* Otherwise, use the timezone of the system that is running splunkd.
* Defaults to empty.

TZ_ALIAS = <key=value>[,<key=value>]...
* Provides splunk admin-level control over how timezone strings extracted
  from events are interpreted.
  * For example, EST can mean Eastern (US) Standard time, or Eastern
    (Australian) Standard time.  There are many other three letter timezone
    acronyms with many expansions.
* There is no requirement to use TZ_ALIAS if the traditional Splunk default
  mappings for these values have been as expected.  For example, EST maps to
  the Eastern US by default.
* Has no effect on TZ value; this only affects timezone strings from event
  text, either from any configured TIME_FORMAT, or from pattern-based guess
  fallback.
* The setting is a list of key=value pairs, separated by commas.
  * The key is matched against the text of the timezone specifier of the
    event, and the value is the timezone specifier to use when mapping the
    timestamp to UTC/GMT.
  * The value is another TZ specifier which expresses the desired offset.
  * Example: TZ_ALIAS = EST=GMT+10:00 (See props.conf.example for more/full
    examples)
* Defaults to unset.
0 Karma

marycordova
SplunkTrust
SplunkTrust

please post a representative sample of the various events and their timezones

@marycordova
0 Karma

gjanders
SplunkTrust
SplunkTrust

What is the example line for the time data and are you using the %z to parse the timezone data from the file?
Or are you configuring the TZ= per-sourcetype?

Date and time format variables explains the %z syntax

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...