Solved: Re: TimeZone setting not working for host set from...

woodcock · ‎05-29-2014

This configuration is not working:

From inputs.conf
[monitor:///somepath/.csv] host_regex = .([^])[^].csv(?:.gz)?$ sourcetype = somesourcetype

From props.conf:
[host::PR*] TZ = US/Atlantic

The host is correctly being set but the TZ is not. Based on this (version 6.1, BTW), I am assuming that if the host value is set using "host_regex", then "host" cannot be used to start a stanza in props.conf, right? If not, why does this not work?

woodcock · ‎06-03-2014

OK, I figured it out.

This DOES NOT WORK:
[host::CH...|DA...|NV...] TZ = US/Central

This DOES WORK:
[host::(CH...|DA...|NV...)] TZ = US/Central

View solution in original post

woodcock · ‎06-03-2014

OK, I figured it out.

This DOES NOT WORK:
[host::CH...|DA...|NV...] TZ = US/Central

This DOES WORK:
[host::(CH...|DA...|NV...)] TZ = US/Central

woodcock · ‎05-30-2014

Fair enough; my bad.
Even if I fix that, it still doesn't work.
I have another stanza like this which also does not work:
[host::IE*] TZ = US/Pacific

rsennett_splunk · ‎05-29-2014

Setting the TZ off of the host that has been set with host_regex is totally legit.

However... the Atlantic Standard Time Zone is a Not a US time zone... That's Quebec...

Atlantic Standard Time - Quebec - Lower North Shore (Canada) That's -4:00 with no DST

I imagine however based on the host example you are using that you're looking for Puerto Rico
America/Puerto_Rico which is also -4:00/-4:00 with no DST

http://en.wikipedia.org/wiki/List_of_tz_database_time_zones

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!

TimeZone setting not working for host set from host_regex?

Detecting Remote Code Executions With the Splunk Threat Research Team

Observability | Use Synthetic Monitoring for Website Metadata Verification

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk