Hi All, Currently we got a request to adjust the time zone based on the Plant location from where the firewall logs are being sent to the splunk Heavy Forwarder instances and then get indexed in the individual indexer instances. Likewise in our environment HF instances act as the syslog servers.
Exact requirement:
Want to adjust the time zone based on the Plant location. Currently we could see all the data's are indexed with EDT time zone. There 13 different plant location from where the firewall logs are sent and mostly they all fall under these time Zone EST and CST, except for one plant located in Malaysia GMT -7.
Below configuration details are set in customized app called Test-IA-guard and Test-TA-guard and both this app are placed in HF instances.
Test-IA-guard are configured with inputs.conf stanza.
[monitor:///opt/syslogs/guard/.../guard.log*]
index=firewall
sourcetype=guard:network:firewall
host_segment = 4
Note : Props.conf and transforms.conf are configured based on setting per-event Host name.
We have more than 200 nodes configured base on per-event Host name.
Test-TA-mguard configured with props & transforms.
Props.conf details :
[host::10.X.X.X]
TRANSFORMS-guard_rename = guard_rename_Host1
[host::10.X.X.X]
TRANSFORMS-guard_rename = guard_rename_Host2
Transforms.conf details:
[guard_rename_Host1]
REGEX = .
DEST_KEY = MetaData:Host
FORMAT = host::guard-Line1
[guard_rename_Host2]
REGEX = .
DEST_KEY = MetaData:Host
FORMAT = host::guard-Line2
And we know that we can configure the timezone in props.conf using the TZ stanza either with sourcetype, host and source. But not sure how to configure time zone for 13 different location using same props.conf stanza. Kindly guide me how to configure the timezone based on different location.
thanks in advance.
↧