Products/Services
product
service
- Simple Security Consulting [Consulting]
- Splunk SOAR Automation Assessment Service [Consulting]
- Dashboard/SPL Creation Pack [Implementation/Building Support]
- Version upgrade service [implementation and construction support]
- Splunk Premium Apps construction support service [implementation and construction support]
- Splunk Security Log Analysis Start Package [Original App/Service]
- Splunk × CrowdStrike Falcon Insight, Macnica Original App [Original App/Service]
- Government uniform standard compatible App [Original App/Service]
- Smart Security Monitoring App [Original App/Service]
- Splunk × LANSCOPE Original App [Original App/Service]
- Security Monitoring App for Box [Original App/Service]
- Cloud Security Monitoring App [Original App/Service]
- SIEM Operation Monitoring Service [Original App/Service]
- List of services
- Macnica Premium Support for Splunk (utilization support, version upgrade monitoring)
- Macnica Premium Support for Splunk Skill Up Package
Specifications/Technical Information
Specifications/Technical Information
Evaluation machine application/FAQ
Application for evaluation machine
- FAQ
Priority to recognize the timezone of ingested data
- release date
- 2019.09.04
- last updated
- 2019.09.04
- version
- Splunk Enterprise 7.1.2
- Overview
Splunk has a feature that automatically recognizes and extracts time zones when ingesting data. The priority when extracting the time zone is evaluated in the following order.
1. The time zone specified in the imported data
2.Timezone specified in props.conf
3. Forwarder's system time zone
4. Indexer system timezone
- Reference information
- Precedence for recognizing timestamps
- content
Priority to recognize the timezone of ingested data
Splunk recognizes the time zone of ingested data preferentially from item 1 below.
- When time zone information is described in one event of imported data
(e.g. PST, -0800), it recognizes in the stated timezone. - If you specify the time zone of the data to be imported with the "TZ" parameter in props.conf, it will be recognized in the specified time zone.
*If you are using a universal forwarder, the props.conf of the indexer will be used.
*If you are using a heavy forwarder, the props.conf of the heavy forwarder will be used. - If you are using a universal forwarder of version 6.0 or later or a heavy forwarder to import, it will recognize the time zone of the OS on which the forwarder is running.
- It is recognized by the time zone of the OS on which the indexer is running.
that's all
- When time zone information is described in one event of imported data
In charge of Macnica Splunk Co., Ltd.
- TEL:045-476-2010
- E-mail:splunk-sales@macnica.co.jp
Mon-Fri 8:45-17:30
