- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- IIS + DST = Time Conversion Problem
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have been searching the forums for a solution to my problem, but have not found a solution that has worked. So I decided to try asking.
I have a remote server running IIS that has Splunk (4.3.1) installed and setup as a lightweight forwarder. I have Splunk grabbing the local IIS logs and sending them to my main Splunk (4.3.1) indexer. On the remote system, I have not made any changes to conf files. On the indexer, I setup the props.conf file with this:
[iis-3]
pulldown_type = true
MAX_TIMESTAMP_LOOKAHEAD = 32
SHOULD_LINEMERGE = False
REPORT-iis_default = iis_referer
TRANSFORMS-comment = comment
TZ=Europe/London
"iis-3" is the sourcetype and "iis_referer" is the transforms mapping that I created.
The logs are being parsed fine for all their values except the time. The time zone setting of "Europe/London" was working correctly until the last Daylight Savings Time (DST) change. The index server and I are in "America/Los_Angeles". The indexer retrieves time from an NTP server and is set to the correct time and time zone. If I run a query to see the latest event in the IIS log, it shows the latest event (in a Splunk translated time) of 1 hour earlier than what it should be showing.
Do I need to use another TZ value or something else?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I was able to get the time conversion to work. What I did was upgrade to splunk version 4.3.2 on the forwarder and indexer, added spaces around the "=" for the TZ variable, changed the timezone to "Africa/Casablanca", and I restarted the splunkd service on the indexer. I am not sure if all of those were required for the fix, but after I did all that the time conversions started working.
Here is the new props.conf config from the indexer for reference.
[iis-3]
pulldown_type = true
MAX_TIMESTAMP_LOOKAHEAD = 32
SHOULD_LINEMERGE = False
REPORT-iis_referer = iis_referer
TRANSFORMS-comment = comment
TZ = Africa/Casablanca
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I was able to get the time conversion to work. What I did was upgrade to splunk version 4.3.2 on the forwarder and indexer, added spaces around the "=" for the TZ variable, changed the timezone to "Africa/Casablanca", and I restarted the splunkd service on the indexer. I am not sure if all of those were required for the fix, but after I did all that the time conversions started working.
Here is the new props.conf config from the indexer for reference.
[iis-3]
pulldown_type = true
MAX_TIMESTAMP_LOOKAHEAD = 32
SHOULD_LINEMERGE = False
REPORT-iis_referer = iis_referer
TRANSFORMS-comment = comment
TZ = Africa/Casablanca
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I thought that IIS logs were always stored in UTC. If so, your setting should say
TZ=UTC
I wonder if perhaps you have been affected by "British Summer Time" - as Europe/London would be affected by that, while UTC would not... I don't think the problem is caused by the "America/Los Angeles" setting.
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
.conf24 | Personalize your .conf experience with Learning Paths!
Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...
