topic Can you help me change the timezone offset for events that appear to be from the same host? in Getting Data In https://community.splunk.com/t5/Getting-Data-In/Can-you-help-me-change-the-timezone-offset-for-events-that/m-p/399268#M71139 <P>How do I change the timezone offset for events that appear to be from the same host (but the real host and timezone is contained in the event)?</P> <P><STRONG>RAW EVENTS:</STRONG></P> <P>Event 1:<BR /> host=HOSTA<BR /> real_event_host=HOSTX<BR /> real_event_time=2018-09-25T06:39:03:142-06:00</P> <P>Event 2:<BR /> host=HOSTA<BR /> real_event_host=HOSTY<BR /> real_event_time=2018-09-25T08:40:03:142-04:00</P> <P><STRONG>Here is how the above events get loaded:</STRONG></P> <P>Event 1:<BR /> _time=25/09/2018 06:39:03.000 <STRONG>(What I want is for this to now switch to the timezone of the indexer -400 i.e. 25/09/2018 08:39:03.142)</STRONG><BR /> host=HOSTA<BR /> real_event_host=HOSTX<BR /> real_event_time=2018-09-25T06:39:03:142-06:00</P> <P>Event 2:<BR /> _time=25/09/2018 08:40:03.321 <STRONG>(For this one the timezone is the same so the times should be the same)</STRONG><BR /> host=HOSTA<BR /> real_event_host=HOSTY<BR /> real_event_time=2018-09-25T08:40:03:321-04:00</P> <P>**How do I either use the real_event_time as the _time and convert it to the indexer's timezone OR at the very least make the _time reflect the timezone of the event?</P> <P>HOSTX is in -600 timezone offset<BR /> HOSTY is in -400 timezone offset<BR /> Both events appear to come from HOSTA which is in -400 timezone offset because HOSTA is a log aggregator**</P> Tue, 29 Sep 2020 21:26:02 GMT shariefc 2020-09-29T21:26:02Z Can you help me change the timezone offset for events that appear to be from the same host? https://community.splunk.com/t5/Getting-Data-In/Can-you-help-me-change-the-timezone-offset-for-events-that/m-p/399268#M71139 <P>How do I change the timezone offset for events that appear to be from the same host (but the real host and timezone is contained in the event)?</P> <P><STRONG>RAW EVENTS:</STRONG></P> <P>Event 1:<BR /> host=HOSTA<BR /> real_event_host=HOSTX<BR /> real_event_time=2018-09-25T06:39:03:142-06:00</P> <P>Event 2:<BR /> host=HOSTA<BR /> real_event_host=HOSTY<BR /> real_event_time=2018-09-25T08:40:03:142-04:00</P> <P><STRONG>Here is how the above events get loaded:</STRONG></P> <P>Event 1:<BR /> _time=25/09/2018 06:39:03.000 <STRONG>(What I want is for this to now switch to the timezone of the indexer -400 i.e. 25/09/2018 08:39:03.142)</STRONG><BR /> host=HOSTA<BR /> real_event_host=HOSTX<BR /> real_event_time=2018-09-25T06:39:03:142-06:00</P> <P>Event 2:<BR /> _time=25/09/2018 08:40:03.321 <STRONG>(For this one the timezone is the same so the times should be the same)</STRONG><BR /> host=HOSTA<BR /> real_event_host=HOSTY<BR /> real_event_time=2018-09-25T08:40:03:321-04:00</P> <P>**How do I either use the real_event_time as the _time and convert it to the indexer's timezone OR at the very least make the _time reflect the timezone of the event?</P> <P>HOSTX is in -600 timezone offset<BR /> HOSTY is in -400 timezone offset<BR /> Both events appear to come from HOSTA which is in -400 timezone offset because HOSTA is a log aggregator**</P> Tue, 29 Sep 2020 21:26:02 GMT https://community.splunk.com/t5/Getting-Data-In/Can-you-help-me-change-the-timezone-offset-for-events-that/m-p/399268#M71139 shariefc 2020-09-29T21:26:02Z