Can this configuration be made on the forwarder, or must it be placed on the indexer?
props.conf:
[host::nyc*]
TZ = US/Eastern
It must be placed on the server that's parsing the data. If it's a heavyweight forwarder, it goes on the forwarder. If it's a light forwarder, it goes on the indexer.
Starting in Splunk 6, it's now possible to specify the timezone on a Universal Forwarder. As long as both sender and receiver are using the new forwarding protocol, the timezone information provided by the sender should be honored.
Links to related docs:
TZ
" attribute.negotiateNewProtocol
.It must be placed on the server that's parsing the data. If it's a heavyweight forwarder, it goes on the forwarder. If it's a light forwarder, it goes on the indexer.
I am using Splunk Universal Forwarder 4.3.2 on Windows sending IIS logs to a Splunk 4.3.2 server on CentOS. I had to add the timezone to /opt/splunk/etc/system/local/props.conf on the server:
[iis]
TZ = GMT
[iis-1]
TZ = GMT
The events ended up having sourcetype [iis-1] on the server because of CHECK_FOR_HEADER being enabled on the forwarder (http://splunk-base.splunk.com/answers/72860/sourcetypes-keep-on-multiplying/72883), hence the two stanzas.
Yes. I believe this is a shortcoming of splunk at the moment. I have run into this problem with windows light forwarders, but i don't even have a hostname convention method to help deal with local timezone settings. We run servers that must be configured in the audience's timezone.
So, if we have a mix of 1000s of heavy and lightweight forwarders, we cant just stick the TZ for each host in the props.conf on the indexers?
We have to identify the heavy forwarders and ensure they have this set in their local props.conf on each heavy forwarder (an arduous task in our environment)?