https://community.splunk.com/t5/Getting-Data-In/How-can-we-use-original-timestamps-with-distributed-search/m-p/98247#M20503 <P>I am assuming that you do not want to use the Splunk time extractor which extracts the logged timestamp and "normalizes" it according to time zones at all? In which case you will want to edit/create the <A href="http://www.splunk.com/base/Documentation/latest/admin/Propsconf" rel="nofollow">props.conf</A> file in $SPLUNK_HOME/etc/system/local/ with the following stanza:</P> <P><CODE> [default]<BR /> DATETIME_CONFIG = NONE </CODE></P> <P>This will turn off all the time adjustments. You can also set the option to "CURRENT" which will insert the current system time or you can take a look at the datetime.xml file which Splunk uses for the conversion.</P> <P>There are some other options for configure time zones which you can find <A href="http://www.splunk.com/base/Documentation/latest/admin/Applytimezoneoffsetstotimestamps" rel="nofollow">here</A>. </P> <P>For information about Splunk timestamp recognition, you can check out the docs <A href="http://www.splunk.com/base/Documentation/latest/Admin/Configuretimestamprecognition" rel="nofollow">here</A>.</P> Mon, 06 Dec 2010 22:22:57 GMT Rob 2010-12-06T22:22:57Z https://community.splunk.com/t5/Getting-Data-In/How-can-we-use-original-timestamps-with-distributed-search/m-p/98246#M20502 <P>Architecture: Two splunk servers: 1. London as search and local indexing. 2. New York as local indexing only.</P> <P>The events in question have the correct timestamp in the log file and it has been established when searched on each of the local indexers that the correct timestamp (ie that of the local time) has been indexed correctly</P> <P>When searching for New York events on the London server, the New York events seem to be getting automatically adjusted in the search results- this we don't want. We know that all events are indexed with the correct timestamp. How can we use the timestamps that we have in the raw indexes?</P> Fri, 03 Dec 2010 00:23:56 GMT https://community.splunk.com/t5/Getting-Data-In/How-can-we-use-original-timestamps-with-distributed-search/m-p/98246#M20502 fox 2010-12-03T00:23:56Z https://community.splunk.com/t5/Getting-Data-In/How-can-we-use-original-timestamps-with-distributed-search/m-p/98247#M20503 <P>I am assuming that you do not want to use the Splunk time extractor which extracts the logged timestamp and "normalizes" it according to time zones at all? In which case you will want to edit/create the <A href="http://www.splunk.com/base/Documentation/latest/admin/Propsconf" rel="nofollow">props.conf</A> file in $SPLUNK_HOME/etc/system/local/ with the following stanza:</P> <P><CODE> [default]<BR /> DATETIME_CONFIG = NONE </CODE></P> <P>This will turn off all the time adjustments. You can also set the option to "CURRENT" which will insert the current system time or you can take a look at the datetime.xml file which Splunk uses for the conversion.</P> <P>There are some other options for configure time zones which you can find <A href="http://www.splunk.com/base/Documentation/latest/admin/Applytimezoneoffsetstotimestamps" rel="nofollow">here</A>. </P> <P>For information about Splunk timestamp recognition, you can check out the docs <A href="http://www.splunk.com/base/Documentation/latest/Admin/Configuretimestamprecognition" rel="nofollow">here</A>.</P> Mon, 06 Dec 2010 22:22:57 GMT https://community.splunk.com/t5/Getting-Data-In/How-can-we-use-original-timestamps-with-distributed-search/m-p/98247#M20503 Rob 2010-12-06T22:22:57Z