I have a source type where iis logs copied from another server to the forwarder are being recorded in UTC but not indicating such. Example:
2013-09-13 14:40:00 Blah 255.0.0.0 POST /example/index.aspx - 443 ...etc
The splunk forwarder (as well as the indexer) is in CDT (Central). In the forwarder, I created a props.conf in the path c:\Program Files\SplunkUniversalForwarder\etc\system\local and inserted the following:
[source://c:\logs\path\*.log]
TZ = SH
I restarted the forwarder's SplunkFowarder service . I've waited. Splunk is still not translating the times. I even made a change to one log entry as a test, and it's still showing logs from 7 hours ago as the current hour's logs when I do a search for a string in a log entry from 7 hours ago.
Help is appreciated.
Sources used:
docs.splunk.com/Documentation/Splunk/5.0.4/Data/Applytimezoneoffsetstotimestamps
en.wikipedia.org/wiki/List_of_zoneinfo_timezones
First, I don't know that the timezone takes the two-character zoneinfo. And the syntax for the source
in props.conf
is not the same as the syntax for monitor
in inputs.conf
. So I would do this.
[source::c:\logs\path\*.log]
TZ = Atlantic/St_Helena
More importantly, this props.conf
entry does not go on the Universal Forwarder. It must be where the events are parsed - that means that it should be on all the indexers.
However, if you want to do the parsing on the forwarder, you can use a heavy forwarder and do the parsing before forwarding to the indexers. This may be your best choice for this forwarder if it is collecting logs from a variety of timezones.
First, I don't know that the timezone takes the two-character zoneinfo. And the syntax for the source
in props.conf
is not the same as the syntax for monitor
in inputs.conf
. So I would do this.
[source::c:\logs\path\*.log]
TZ = Atlantic/St_Helena
More importantly, this props.conf
entry does not go on the Universal Forwarder. It must be where the events are parsed - that means that it should be on all the indexers.
However, if you want to do the parsing on the forwarder, you can use a heavy forwarder and do the parsing before forwarding to the indexers. This may be your best choice for this forwarder if it is collecting logs from a variety of timezones.
Thanks! On props.conf on the indexer, I changed it to this format and then escaped the backslashes with a backslash and it worked. Example below.
[source::c:\\logs\\path\\*.log]
TZ = Atlantic/St_Helena
the props TZ is applied at index time, not on the forwarder.
Specify the TZ in props.conf on the indexer (or heavy forwarder level if any).