https://community.splunk.com/t5/Getting-Data-In/forwarder-source-logs-displaying-in-UTC-Time-Need-EST/m-p/182258#M36521 <P>Somehow this issue has cleared itself up. <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Mon, 17 Mar 2014 13:03:30 GMT bcusick 2014-03-17T13:03:30Z https://community.splunk.com/t5/Getting-Data-In/forwarder-source-logs-displaying-in-UTC-Time-Need-EST/m-p/182254#M36517 <P>Hi,</P> <P>I have a forwarder that goes by EST. My Splunk server also goes by EST. Today I had to add a source (from a completely different server with UTC time) to my EST Splunk forwarder.</P> <P>How can I make _time for the logs in this source be in EST? They can still display UTC, but I need to see them in EST for Splunk timing.</P> <P>I have already tried editing the props.conf to say:</P> <PRE><CODE>[mdm] TZ = UTC </CODE></PRE> <P>Where mdm is the sourcetype for this source</P> <P>Thanks,</P> <P>Brian</P> Tue, 11 Mar 2014 19:34:58 GMT https://community.splunk.com/t5/Getting-Data-In/forwarder-source-logs-displaying-in-UTC-Time-Need-EST/m-p/182254#M36517 bcusick 2014-03-11T19:34:58Z https://community.splunk.com/t5/Getting-Data-In/forwarder-source-logs-displaying-in-UTC-Time-Need-EST/m-p/182255#M36518 <P>Do the event timestamps include a timezone, or is the timestamp an epoch time?<BR /> How did you add the new server to the forwarder, and why not add it directly to the indexer?</P> Tue, 11 Mar 2014 19:53:04 GMT https://community.splunk.com/t5/Getting-Data-In/forwarder-source-logs-displaying-in-UTC-Time-Need-EST/m-p/182255#M36518 lukejadamec 2014-03-11T19:53:04Z https://community.splunk.com/t5/Getting-Data-In/forwarder-source-logs-displaying-in-UTC-Time-Need-EST/m-p/182256#M36519 <P>Timestamp is showing up like this in the raw log...</P> <P>2014-03-11 18:04:11</P> <P>basically all I want to do is subtract 4 hours from it. Idk how that would go if the UTC time was between midnight and 3:59AM, but I could use temporarily a method to show this time as EST (4 hours prior to what it says now)</P> Tue, 11 Mar 2014 19:59:24 GMT https://community.splunk.com/t5/Getting-Data-In/forwarder-source-logs-displaying-in-UTC-Time-Need-EST/m-p/182256#M36519 bcusick 2014-03-11T19:59:24Z https://community.splunk.com/t5/Getting-Data-In/forwarder-source-logs-displaying-in-UTC-Time-Need-EST/m-p/182257#M36520 <P>You should try to configure splunk to recognize the correct TZ for that source, that way splunk can do all of the search time corrections for you.</P> <P>As for subtracting 4 hours, not a problem so long as splunk knows it is working with a time.</P> Tue, 11 Mar 2014 20:03:46 GMT https://community.splunk.com/t5/Getting-Data-In/forwarder-source-logs-displaying-in-UTC-Time-Need-EST/m-p/182257#M36520 lukejadamec 2014-03-11T20:03:46Z https://community.splunk.com/t5/Getting-Data-In/forwarder-source-logs-displaying-in-UTC-Time-Need-EST/m-p/182258#M36521 <P>Somehow this issue has cleared itself up. <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Mon, 17 Mar 2014 13:03:30 GMT https://community.splunk.com/t5/Getting-Data-In/forwarder-source-logs-displaying-in-UTC-Time-Need-EST/m-p/182258#M36521 bcusick 2014-03-17T13:03:30Z https://community.splunk.com/t5/Getting-Data-In/forwarder-source-logs-displaying-in-UTC-Time-Need-EST/m-p/182259#M36522 <P>The indexers were probably rebooted which is required for this change to take effect.</P> Mon, 29 Jun 2015 01:58:58 GMT https://community.splunk.com/t5/Getting-Data-In/forwarder-source-logs-displaying-in-UTC-Time-Need-EST/m-p/182259#M36522 woodcock 2015-06-29T01:58:58Z