https://community.splunk.com/t5/Getting-Data-In/how-does-time-synchronization-work-between-forwarder-and-indexer/m-p/305795#M57686 <P>The Indexers work by doing whatever you tell them to do. If you tell them nothing about timezones, then each indexer will assume that any event with a date missing a timezone is using the same timezone as that Indexer's host OS and that event will be assigned a value of <CODE>local</CODE> for <CODE>date_zone</CODE>. This is TERRIBLE rookie admin, though; I do not allow events with <CODE>date_zone</CODE> = <CODE>local</CODE> to exist on any of my Indexers. Each event should EITHER have the TZ value inside of each event's timestamp OR each host+sourcetype combination should have a <CODE>TZ=foo/bar</CODE> in a <CODE>props.conf</CODE> on every Indexer. That is the way to do it or you are going to have broken (mis-normalized) times inside of Splunk events (all over the place).</P> Mon, 22 May 2017 17:02:49 GMT woodcock 2017-05-22T17:02:49Z https://community.splunk.com/t5/Getting-Data-In/how-does-time-synchronization-work-between-forwarder-and-indexer/m-p/305793#M57684 <P>Hi<BR /> we have hosts sending logs to indexer using universal forwarders. The hosts are spread across different time zones. <BR /> i want to know how the indexer Synchronize different time zones into one. Can you refer any document or something?</P> <P>thank you</P> Mon, 22 May 2017 12:48:02 GMT https://community.splunk.com/t5/Getting-Data-In/how-does-time-synchronization-work-between-forwarder-and-indexer/m-p/305793#M57684 gnanaraj_mcc 2017-05-22T12:48:02Z https://community.splunk.com/t5/Getting-Data-In/how-does-time-synchronization-work-between-forwarder-and-indexer/m-p/305794#M57685 <P>Hi<BR /> Have you already seen the foillowing answer?<BR /> <A href="https://answers.splunk.com/answers/52235/if-multiple-hosts-in-different-time-zones-are-sending-logs-to-splunk-in-that-case-how-to-configure-timezone-props-conf-for-the-hosts-individually.html">https://answers.splunk.com/answers/52235/if-multiple-hosts-in-different-time-zones-are-sending-logs-to-splunk-in-that-case-how-to-configure-timezone-props-conf-for-the-hosts-individually.html</A></P> <P>Every way the documentation is at <A href="https://docs.splunk.com/Documentation/Splunk/6.6.0/Data/Applytimezoneoffsetstotimestamps">https://docs.splunk.com/Documentation/Splunk/6.6.0/Data/Applytimezoneoffsetstotimestamps</A></P> <P>Bye.<BR /> Giuseppe</P> Mon, 22 May 2017 13:29:37 GMT https://community.splunk.com/t5/Getting-Data-In/how-does-time-synchronization-work-between-forwarder-and-indexer/m-p/305794#M57685 gcusello 2017-05-22T13:29:37Z https://community.splunk.com/t5/Getting-Data-In/how-does-time-synchronization-work-between-forwarder-and-indexer/m-p/305795#M57686 <P>The Indexers work by doing whatever you tell them to do. If you tell them nothing about timezones, then each indexer will assume that any event with a date missing a timezone is using the same timezone as that Indexer's host OS and that event will be assigned a value of <CODE>local</CODE> for <CODE>date_zone</CODE>. This is TERRIBLE rookie admin, though; I do not allow events with <CODE>date_zone</CODE> = <CODE>local</CODE> to exist on any of my Indexers. Each event should EITHER have the TZ value inside of each event's timestamp OR each host+sourcetype combination should have a <CODE>TZ=foo/bar</CODE> in a <CODE>props.conf</CODE> on every Indexer. That is the way to do it or you are going to have broken (mis-normalized) times inside of Splunk events (all over the place).</P> Mon, 22 May 2017 17:02:49 GMT https://community.splunk.com/t5/Getting-Data-In/how-does-time-synchronization-work-between-forwarder-and-indexer/m-p/305795#M57686 woodcock 2017-05-22T17:02:49Z https://community.splunk.com/t5/Getting-Data-In/how-does-time-synchronization-work-between-forwarder-and-indexer/m-p/305796#M57687 <P>@woodcock strikes again! FTW!</P> Tue, 23 May 2017 12:19:39 GMT https://community.splunk.com/t5/Getting-Data-In/how-does-time-synchronization-work-between-forwarder-and-indexer/m-p/305796#M57687 sloshburch 2017-05-23T12:19:39Z https://community.splunk.com/t5/Getting-Data-In/how-does-time-synchronization-work-between-forwarder-and-indexer/m-p/305797#M57688 <P>In other words, there is no <CODE>synchronization</CODE>, there is a <CODE>normalization</CODE> to <CODE>UTC</CODE> in the form of <CODE>time_t</CODE> AKA <CODE>epoch</CODE>.</P> Tue, 23 May 2017 13:39:13 GMT https://community.splunk.com/t5/Getting-Data-In/how-does-time-synchronization-work-between-forwarder-and-indexer/m-p/305797#M57688 woodcock 2017-05-23T13:39:13Z