https://community.splunk.com/t5/Getting-Data-In/Timezones-what-am-i-missing/m-p/74958#M15317 <P>I was having a similar issue, running in Central time. I created a props.conf file within the C:\Program Files\Splunk\etc\system\local filepath with just the value TZ = UTC-6, Eastern would likely be UTC-5 and my timestamps are displaying correctly. Unfortunately I don't see my props.conf file in that directory anymore but the timestamps are still working correctly.</P> <P>JC</P> Tue, 02 Oct 2012 17:13:07 GMT jcaffero 2012-10-02T17:13:07Z https://community.splunk.com/t5/Getting-Data-In/Timezones-what-am-i-missing/m-p/74956#M15315 <P>Hi.</P> <P>We have some log data where each line starts with a timestamp that looks like this:</P> <PRE>2012-09-28 15:44:35,302</PRE> <P>Nothing else in the data looks anything like a timestamp.</P> <P>Splunk is indexing this as UTC, so it displays 4 hours earlier.</P> <P>The timezone on the source server is in Eastern.</P> <P>We are running a Splunk Universal Forwarder there, so on the Heavy Forwarder, I have the following:</P> <PRE> [my_sourcetype_here] TZ = US/Eastern </PRE> <P>For what it's worth, I also tried with [host::hostnamepattern*]</P> <P>Neither seem to have taken effect with newly-indexed events, despite actually restarting the Heavy forwarders!</P> <P>Am I missing something here?</P> <P>Thanks.</P> Fri, 28 Sep 2012 19:52:31 GMT https://community.splunk.com/t5/Getting-Data-In/Timezones-what-am-i-missing/m-p/74956#M15315 Sqig 2012-09-28T19:52:31Z https://community.splunk.com/t5/Getting-Data-In/Timezones-what-am-i-missing/m-p/74957#M15316 <P>A bit unclear about the setup - is it UF -&gt; HF -&gt; Indexer?</P> <P>TZ settings should go to where the parsing phase takes place - in the above scenario, that would be the HF (As can be seen <A href="http://wiki.splunk.com/Where_do_I_configure_my_Splunk_settings%3F">here</A>).</P> <P>Have you tried either <CODE>EST</CODE> or <CODE>-04:00</CODE> instead of <CODE>US/Eastern</CODE>?</P> <P>/Kristian</P> Fri, 28 Sep 2012 20:19:40 GMT https://community.splunk.com/t5/Getting-Data-In/Timezones-what-am-i-missing/m-p/74957#M15316 kristian_kolb 2012-09-28T20:19:40Z https://community.splunk.com/t5/Getting-Data-In/Timezones-what-am-i-missing/m-p/74958#M15317 <P>I was having a similar issue, running in Central time. I created a props.conf file within the C:\Program Files\Splunk\etc\system\local filepath with just the value TZ = UTC-6, Eastern would likely be UTC-5 and my timestamps are displaying correctly. Unfortunately I don't see my props.conf file in that directory anymore but the timestamps are still working correctly.</P> <P>JC</P> Tue, 02 Oct 2012 17:13:07 GMT https://community.splunk.com/t5/Getting-Data-In/Timezones-what-am-i-missing/m-p/74958#M15317 jcaffero 2012-10-02T17:13:07Z https://community.splunk.com/t5/Getting-Data-In/Timezones-what-am-i-missing/m-p/74959#M15318 <P>If Splunk is indexing in UTC, then your server is likely set to use UTC. See this link for help on how Splunk sets time zones:</P> <P><A href="http://docs.splunk.com/Documentation/Splunk/4.3.4/Data/ApplyTimezoneOffsetsToTimeStamps">http://docs.splunk.com/Documentation/Splunk/4.3.4/Data/ApplyTimezoneOffsetsToTimeStamps</A></P> Tue, 02 Oct 2012 17:15:48 GMT https://community.splunk.com/t5/Getting-Data-In/Timezones-what-am-i-missing/m-p/74959#M15318 sowings 2012-10-02T17:15:48Z https://community.splunk.com/t5/Getting-Data-In/Timezones-what-am-i-missing/m-p/74960#M15319 <P>If I could remove a question I have posted, I would in this case. This was user error on my part and not anything to do with Splunk.</P> Tue, 02 Oct 2012 17:43:34 GMT https://community.splunk.com/t5/Getting-Data-In/Timezones-what-am-i-missing/m-p/74960#M15319 Sqig 2012-10-02T17:43:34Z