Incorrect timezone on Splunk events

danbarr commented 4 years ago

Events from most of the Artifactory and Xray log files were being ingested into Splunk with a timestamp exactly 4 hours in the future (my servers are in UTC-0400 time zone). To fix this, I had to add use_fluentd_time false to td-agent.conf. I added this in the final <match jfrog.**> section but I don't know if it would be better to set it on each source.

According to the Fluentd docs, I believe this should indeed be set to false, since you're using the timestamp from the original records.

use_fluentd_time

The default: true If set true, fluentd's timestamp is used as time metadata. If the record already has its own time value, this options should be false.

peters95 commented 3 years ago

hi @danbarr we have create a ticket to fix this and will update you soon once its been merged. Thanks!

peters95 commented 3 years ago

resolved in v1.1.0 of splunk integration... https://github.com/jfrog/log-analytics/blob/master/log-vendors/splunk/fluent.conf.rt#L247

jfrog / log-analytics

Incorrect timezone on Splunk events #11

use_fluentd_time