Hi guys
i've a scritpt on a linux forwarder to monitor a load balancer, it's log is a txt file in UTC format, i need to set the time zone to europe/rome, to do this i've setup props.conf on indexer as show below
[source::NSowa]
TZ = Europe/Rome
the result is the same
as you can see event without timestam are logged with the correct time, the time extraction is wrong.
Solved .... the time zone must be the TZ of the SOURCE .... in my case W3C log are always UTC, using TZ = UTC i've solved the problem
Solved .... the time zone must be the TZ of the SOURCE .... in my case W3C log are always UTC, using TZ = UTC i've solved the problem
Based on this screen-shot, these two events don't seem be of source = NSowa
. You see, source
is not listed below the event, only host
...
tnx ddrillic, the source is correct, i don't know why but i've hosted a new screenshot on imgur but the forum don't show it ... i've post a new reply in the main thread with screenshot
i've read the documentation, I read about the TZ parameter there ... where i'm wrong?
My apologies, I didn't see the props.conf snippet you posted. I read this as a general "how do I use TZ in Splunk" question. @ddrillic's comment seems to identify at least one issue with this configuration.
Consult the documentation for instruction on setting the timezone correctly.
I downvoted this post because this isn't a very helpful comment. telling someone to just read the documentation doesn't help someone find what they're looking for to become better.
We should not be trying to discourage people from posting answers..down votes are for completely wrong answers/bad advice
I get the reasoning behind the downvote. I think it's the type of post that should potentially be downvoted (when it an answer is purposely unhelpful, etc). In this case I simply misunderstood the question, and apologized to the asker prior to the downvote.
When I posted the answer, a pointer to the correct documentation seemed like the best place to start, due to my missing the details in the question about already having attempted to implement the configs.
All in all, it was a reasonable consideration to downvote.
As I responded in a previous comment, it seemed to be a general "how do I configure timezones to work" question. As such, I linked to the documentation in my answer.