https://community.splunk.com/t5/Getting-Data-In/Setting-timezone-is-not-working/m-p/174102#M35046 <P>Splunk will set event time zones according to the following priority:<BR /><BR /> 1) It will use the time zone in the raw event data.<BR /><BR /> 2) It will use the time zone in props.conf<BR /><BR /> 3) If both the forwarder and indexer are 6.0 or later, then it used the time zone of the forwarder. </P> <P>In your case, the time zone of the event is UTC because the time zone is included in the event.<BR /><BR /> However, because your MAX_TIMESTAMP_LOOKAHEAD is set to 20, Splunk never sees the time zone so it can't apply it.<BR /><BR /> I’m not sure why it does not check props.conf before it moves on to the third priority. Perhaps the props.conf is in the wrong location? </P> <P>Regardless, change your MAX_TIMESTAMP_LOOKAHEAD to 30.</P> Mon, 28 Sep 2020 16:41:13 GMT lukejadamec 2020-09-28T16:41:13Z https://community.splunk.com/t5/Getting-Data-In/Setting-timezone-is-not-working/m-p/174101#M35045 <P>Hi,</P> <P>We are using Splunk 6.0.3</P> <P>The host (no matter where it is located) always sends logs with UTC time. In my props.conf file i have added <CODE>TZ = UTC</CODE> in the stanza that processes the logs. But still i see the _time as forwarder's time zone.<IMG src="http://answers.splunk.com//storage/UTC_Error.jpeg" alt="alt text" /></P> <P>My Props.conf looks like this:<BR /><BR /> SHOULD_LINEMERGE=false<BR /><BR /> LINE_BREAKER=([\r\n]+)\d{2}-[a-zA-Z]{3}-\d{4}\s\d{2}:\d{2}:\d{2}\s<BR /><BR /> MAX_TIMESTAMP_LOOKAHEAD=20<BR /><BR /> TIME_PREFIX=^<BR /><BR /> TIME_FORMAT=%d-%b-%Y %H:%M:%S<BR /><BR /> TZ=UTC</P> <P>Thanks<BR /><BR /> Strive</P> Mon, 28 Sep 2020 16:41:08 GMT https://community.splunk.com/t5/Getting-Data-In/Setting-timezone-is-not-working/m-p/174101#M35045 strive 2020-09-28T16:41:08Z https://community.splunk.com/t5/Getting-Data-In/Setting-timezone-is-not-working/m-p/174102#M35046 <P>Splunk will set event time zones according to the following priority:<BR /><BR /> 1) It will use the time zone in the raw event data.<BR /><BR /> 2) It will use the time zone in props.conf<BR /><BR /> 3) If both the forwarder and indexer are 6.0 or later, then it used the time zone of the forwarder. </P> <P>In your case, the time zone of the event is UTC because the time zone is included in the event.<BR /><BR /> However, because your MAX_TIMESTAMP_LOOKAHEAD is set to 20, Splunk never sees the time zone so it can't apply it.<BR /><BR /> I’m not sure why it does not check props.conf before it moves on to the third priority. Perhaps the props.conf is in the wrong location? </P> <P>Regardless, change your MAX_TIMESTAMP_LOOKAHEAD to 30.</P> Mon, 28 Sep 2020 16:41:13 GMT https://community.splunk.com/t5/Getting-Data-In/Setting-timezone-is-not-working/m-p/174102#M35046 lukejadamec 2020-09-28T16:41:13Z https://community.splunk.com/t5/Getting-Data-In/Setting-timezone-is-not-working/m-p/174103#M35047 <P>Thanks for your response. props.conf is inside /IndexAPP/local/ directory. This splunk app is added to peer nodes (indexers).</P> <P>Note: we use clusters</P> Wed, 21 May 2014 20:48:30 GMT https://community.splunk.com/t5/Getting-Data-In/Setting-timezone-is-not-working/m-p/174103#M35047 strive 2014-05-21T20:48:30Z https://community.splunk.com/t5/Getting-Data-In/Setting-timezone-is-not-working/m-p/174104#M35048 <P>The issue was with forwarder. It is resolved.</P> Wed, 23 Jul 2014 02:03:25 GMT https://community.splunk.com/t5/Getting-Data-In/Setting-timezone-is-not-working/m-p/174104#M35048 strive 2014-07-23T02:03:25Z https://community.splunk.com/t5/Getting-Data-In/Setting-timezone-is-not-working/m-p/174105#M35049 <P>what's was the issue? we are having the same issue where the timezone is set as UTC, but it still indexes data in EDT. </P> Wed, 07 Jun 2017 02:34:06 GMT https://community.splunk.com/t5/Getting-Data-In/Setting-timezone-is-not-working/m-p/174105#M35049 jdhruti 2017-06-07T02:34:06Z