By way of a light forwarder, I'm receiving IIS Logs in W3C Extended Format from 5 boxes which logs events in GMT time - there's no way to change timezones when using this format with IIS.
Because our Splunk Server lives in a GMT+10 timezone, and all our other sourcetypes/events are logged in the servers TZ, we have set up a props.conf file under C:\Program Files\Splunk\etc\system\local with the following entry at top of file to specifically handle IIS logs:
[IIS*]
TZ=GMT
We've also tried:
[IIS*]
TZ = America/Los_Angeles
It seems no matter what I try, I just can't get Splunk to treat my logs correctly. This is a MAJOR problem because it makes them totally unusable in a real time context. The net effect is all entries appear 10 hours into the future.
Have you seen this yourself ? How did you fix it ??
Thanks 🙂
So are IIS logs, which are by default set to GMT, read in and viewed with the web server serving up the searches timezone? Are other logs, like event logs, doing the same?
For what it is worth, the IIS-1, IIS-2, ..., IIS-n issue should be fixed in 4.1.4 if you have manually set the sourcetype to IIS in inputs.conf, thus solving your problem the 'right' way 🙂
It is broken in 5.0.3 still.... I'm getting iis-2 sourcetype despite hardcoding it in inputs.conf
hi Alex - could you provide more info about what is being fixed in 4.1.4 re: IIS-1, IIS-2, etc.? What's changing?
For IIS W3C formatted logs, the time zone is always GMT, so you should set TZ = GMT. The timezone setting of the incoming data is completely independent of the server time zone.
You may not use wildcards in sourcetype stanzas in props.conf (only in source:: and host:: stanzas) so that is one problem.
It would be useful to know what you are setting the sourcetype of your inputs to. They would be set on the light forwarder, and you should set them explicitly. If not set explicitly on the light forwarder, the default rules should set it to iis
. Note that if this is the case, the props.conf stanza names are case-sensitive, so that may be another problem.
I'm also not certain why you'd have tried America/Los_Angeles
as a TZ
setting.
I am using TZ = GMT in ~/etc/system/local/props.conf and the times and dates are correct in splunk. Because I may be taking other iis logs I explicitly set the sourcetype in the deployment-apps directory/default/inputs.conf as
sourcetype = mswin_2008r2_iisw3c
This way I can use another sourcetype if the server version is different.
My ~/etc/system/local/props.conf stanza looks like this (field names can be found in the header of the log file):
[mswin_2008r2_iisw3c]
TZ = GMT
pulldown_type = true
MAX_TIMESTAMP_LOOKAHEAD = 32
SHOULD_LINEMERGE = false
CHECK_FOR_HEADER = false
Mine is simply this:
[default] TZ = US/Eastern
So maybe try this?
[name_of_sourcetype] TZ = US/Pacific
Make sure that whatever it is that you put on the name_of_sourcetype
is the sourcetype that the IIS log is using.
From what the user is saying, it seems that setting the TZ to GMT was not working. Perhaps a bug?
per @gkanapathy's answer above, I believe your answer is not correct-- the time zone should be marked GMT, not local.