I have a Deploy server application that I use to control my "SYSLOG" server that receives logs from various other sources. The SYSLOG server has a SPLUNK UF installed on it and it sends the data to configured indexes with the relevant source types. I have a range of data sources in this app to direct where my data goes. The UF is effectively monitoring for files in a directory structure. For example
[monitor:///data/splunkforwarder/myfiles/app1/*/messages*]
host_segment = 5
sourcetype = app1_sourcetype
index = app1
[monitor:///data/splunkforwarder/myfiles/app2/*/messages*]
host_segment = 5
sourcetype = app2_sourcetype
index = app2
I have a monitor input that is using the standard JSON provided by SPLUNK for another directory
[monitor:///data/splunkforwarder/myfiles/BIGAPP/*/messages*]
host_segment = 5
sourcetype = json
index = bigapp
BIGAPP sends its logs via SYSLOG and this works as expected, however the time that is indexed in SPLUNK is out by 8 hours. The event arrives at say 8:45pm but SPLUNK indexes this at 12:45 (difference of 8 hours). I attempted to do the following:
[monitor:///data/splunkforwarder/myfiles/BIGAPP/*/messages*]
host_segment = 5
sourcetype = json
index = bigapp
TZ = Australia/Perth
I reloaded my DS and resent a log but this made no difference. From reading the articles, it would seem to indicate that this must only be done in props.conf? Do I have to create a new sourcetype (effectively duplicating the JSON sourcetype) and then apply this props to my SYSLOG application?
I don't want impact my app as all of the other monitored files are accurate from a time stamp perspective so I only need to change this one. The BIGAPP vendor does not have support for changing the time zone on the syslog so I have to resort to having SPLUNK fix this.
Thanks for any assistance.
↧