Is there a solution (yet) for setting the TZ for a syslog host?

Question

If I recall correctly, there wasn't a way to set/offset the TZ for a syslog host. Has this changed?

Answer 1

0

wolverine,

I believe this issue has to do with the order by which an event gets processed. The host extraction performed on syslog data at index time occurs after Splunk applies TZ properties. As a result, TZ properties applied on the extracted host field do not take affect. This is mostly a problem for syslog data that is not collected directly from the host which it originated.

Update: I do not have a definitive solution/workaround. You could try routing the data through a full forwarder before you index; where the indexer input is set to "parsingQueue" for a second round of parsing.

link

answered 26 Apr '11, 15:19

hazekamp
2.2k●2●18
accept rate: 38%

edited 26 Apr '11, 15:44

Thank you for your response, hazedev. I understand why it does not work. I'm wondering if a solution was provided recently. I recall there was a possible workaround for this.

(26 Apr '11, 15:22) the_wolverine ♦

Answer 2

0

Could you not set the TZ at the [source::514] level? This would of course set the TZ for the entire syslog stream.

If we knew what key TZ= in props.conf sets, we could possibly write an index-time transform for it:

[tz_for_host1]
SOURCE_KEY = MetaData:Host
REGEX = host1
DEST_KEY = (whatever key TZ is)
FORMAT = The/Timezone

link

answered 17 May '11, 15:29

Jason
3.6k●7●10●74
accept rate: 43%

edited 17 May '11, 15:32

Is there a solution (yet) for setting the TZ for a syslog host?

Follow this question

Splunk Resources

Related questions