My indexers and searchheads in my central datacentre are configured in UTC timestamp but I have universal/light forwarders around the world in many different time zones.
I know the hosts my forwarders are installed on have correct time zone settings. So I'd like to use the host timezone (point number 3 in this document) rather than override it but I can't get it right.
Hence my 2 questions :
* How does splunk determine the splunk server time zone (if running on linux)?
* Where is the time zone evaluated : in my case, if it's at the indexer level, it won't help...
Here are the rules: How Splunk applies timezones - I think this is exactly the page that you are referencing.
If you want to override the default processing, you must set the TZ attribute on the machine that is doing the parsing. that would mean that - on each indexer - you would need an entry in props.conf
for each forwarder:
[host::forwarderhostname1]
TZ = forwardertimezone1
There is no alternative. This is a perfect enhancement request! Do it here: Submit Case
My request would be "I want to be able to set something like this in props.conf:
[host::*]
TZ = use_host_tz
So that the indexer would use the forwarder's server timezone setting"
But that's just what I asked for...
UPDATE: Splunk 6 - *WISH GRANTED!*
Specify time zones of time stamps
Note item # 3 - "If an event that arrives at an indexer originated at a forwarder, and both the forwarder and the receiving indexer run Splunk Enterprise 6.0 or later, then Splunk uses the time zone that the forwarder provides."
Here are the rules: How Splunk applies timezones - I think this is exactly the page that you are referencing.
If you want to override the default processing, you must set the TZ attribute on the machine that is doing the parsing. that would mean that - on each indexer - you would need an entry in props.conf
for each forwarder:
[host::forwarderhostname1]
TZ = forwardertimezone1
There is no alternative. This is a perfect enhancement request! Do it here: Submit Case
My request would be "I want to be able to set something like this in props.conf:
[host::*]
TZ = use_host_tz
So that the indexer would use the forwarder's server timezone setting"
But that's just what I asked for...
UPDATE: Splunk 6 - *WISH GRANTED!*
Specify time zones of time stamps
Note item # 3 - "If an event that arrives at an indexer originated at a forwarder, and both the forwarder and the receiving indexer run Splunk Enterprise 6.0 or later, then Splunk uses the time zone that the forwarder provides."
Thanks ! Indeed Splunk 6 update should fix this problem.
Well, this would be a workaround but what I need is to have splunk rely on the universal forwarders servers timezone - it's already correctly set so I wouldn't like to force it to some specific timezone (and in addition it's different for each forwarder). It's a pitty you can't set timezone at input time.