Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Overriding TZ for source

mikelanghorst
Motivator
‎04-09-2012 04:00 PM

I have a JBoss/Tomcat access log that has an incorrect Timezone configuration, causing Splunk to set the time to an hour ahead.

172.21.138.35 - - [09/Apr/2012:15:51:56.783 -0800] "HEAD /index.html HTTP/1.1" 200 0

The server is correctly set at PDT, but something is setting this log to stay at -0800. The developer isn't sure where this is set, and would take some time to correct even when we do find the location. How do I properly change the time for this source? It occurs on several hosts (dev/test/staging/production), but only for this source file.

I've set props.conf on the indexer to:
[source::/my/app/path/localhost_access*]
TZ=PDT

Is this incorrect? It didn't change the behavior and I verified with btool that it's in effect.

Tags (1)
Reply

woodcock
Esteemed Legend
‎06-28-2015 08:48 PM

You should be able to use TZ_ALIAS like this:

TZ_ALIAS=-0800=PDT
0 Karma
Reply

dwaddle
SplunkTrust
SplunkTrust
‎04-09-2012 05:27 PM

Some additional things worth trying:

First, set an explicit TIME_FORMAT and MAX_TIMESTAMP_LOOKAHEAD in addition to a TZ for this source. Make the TIME_FORMAT and MAX_TIMESTAMP_LOOKAHEAD explicitly ignore the "-0800" bit, preferably by setting MAX_TIMESTAMP_LOOKAHEAD small enough to where the "-0800" part isn't considered.

If that doesn't work, as hideous as it is you could filter out the "-0800" using a SEDCMD. (I really hope it doesn't come to this)

Reply

mikelanghorst
Motivator
‎04-10-2012 08:22 AM

Used the data import function on my local instance to set this up. Looks like this will be the answer.

0 Karma
Reply

ChrisG
Splunk Employee
Splunk Employee
‎04-09-2012 04:26 PM

Splunk uses zoneinfo TZ database values (see http://docs.splunk.com/Documentation/Splunk/4.3.1/data/Applytimezoneoffsetstotimestamps and http://en.wikipedia.org/wiki/List_of_zoneinfo_timezones ). Did you try US/Pacific for the TZ value?

Reply

mikelanghorst
Motivator
‎04-09-2012 04:31 PM

Yes, I just tried TZ=US/Pacific, but no change.

» 4/9/12
5:29:41.000 PM

[09/Apr/2012:16:29:41 -0800] 172.27.140.119 user1 - HTTP/1.1 POST 200 8969 98 /app/unitSubstitution/loadJSON

0 Karma
Reply
Get Updates on the Splunk Community!

Observability | Use Synthetic Monitoring for Website Metadata Verification

If you are on Splunk Observability Cloud, you may already have Synthetic Monitoringin your observability ...

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...