https://community.splunk.com/t5/Splunk-Enterprise/monitor-file-on-syslog-ng-server-contains-entries-for-devices/m-p/557215#M6235 <P>I also checked out this link...<BR /><BR /><A href="https://docs.splunk.com/Documentation/Splunk/latest/Data/Applytimezoneoffsetstotimestamps" target="_blank">Specify time zones for timestamps - Splunk Documentation</A></P><P>Rich</P> Fri, 25 Jun 2021 16:05:31 GMT radam2000 2021-06-25T16:05:31Z https://community.splunk.com/t5/Splunk-Enterprise/monitor-file-on-syslog-ng-server-contains-entries-for-devices/m-p/557091#M6228 <P>I have a redhat 7.4 syslog-ng server with splunk heavy forwarder(8.1.2)&nbsp; installed. server is TZ EST</P><P>Server collects udp/514 logs from multiple networking devices and writes them to textfiles like ...<BR />/syslogs/todays-internetfirewalls.txt<BR />/syslogs/todays-routers.txt<BR />/syslogs/todays-switches.txt</P><P>splunk Heavy Forwarder has data/file monitor inputs for the various text files and are assigned to the appropriate index with the appropriate sourcetype<BR /><BR />so some network devices sending udp/514 syslogs to the above server are in different timezones but the entries in the text file written do not adjust for timezones...</P><P>example screen attached - In screenshot IP 172.24.63.88 is GMT and 172.24.3.5 is EST<BR /><BR />I researched and tried to create an app called Timezones on the HF with a local/props.conf file that just lists...<BR /><BR />[host::172.24.63.88]<BR />TZ = GMT</P><P>but when file data is ingested the _time for the IP in GMT is same as it appears in the log file entry with no adjustment to bring GMT time to EST time??<BR /><BR />any help would be appreciated - I have read several links already and follow a few answers...<BR /><BR /><A href="https://community.splunk.com/t5/Dashboards-Visualizations/Multiple-Timezones-search-worldwide/td-p/91339" target="_blank">https://community.splunk.com/t5/Dashboards-Visualizations/Multiple-Timezones-search-worldwide/td-p/91339</A><BR /><BR /><A href="https://community.splunk.com/t5/Getting-Data-In/Multiple-time-zones-in-props-conf/m-p/286456#M54667" target="_blank">https://community.splunk.com/t5/Getting-Data-In/Multiple-time-zones-in-props-conf/m-p/286456#M54667</A></P><P><A href="https://docs.splunk.com/Documentation/Splunk/latest/admin/propsconf" target="_blank">https://docs.splunk.com/Documentation/Splunk/latest/admin/propsconf</A></P><P>Rich</P> Thu, 24 Jun 2021 23:46:13 GMT https://community.splunk.com/t5/Splunk-Enterprise/monitor-file-on-syslog-ng-server-contains-entries-for-devices/m-p/557091#M6228 radam2000 2021-06-24T23:46:13Z https://community.splunk.com/t5/Splunk-Enterprise/monitor-file-on-syslog-ng-server-contains-entries-for-devices/m-p/557215#M6235 <P>I also checked out this link...<BR /><BR /><A href="https://docs.splunk.com/Documentation/Splunk/latest/Data/Applytimezoneoffsetstotimestamps" target="_blank">Specify time zones for timestamps - Splunk Documentation</A></P><P>Rich</P> Fri, 25 Jun 2021 16:05:31 GMT https://community.splunk.com/t5/Splunk-Enterprise/monitor-file-on-syslog-ng-server-contains-entries-for-devices/m-p/557215#M6235 radam2000 2021-06-25T16:05:31Z