https://community.splunk.com/t5/Splunk-Search/Splunk-search-issues-with-timezone-of-logs-from-forwarders/m-p/413088#M119113 <P>Forwarder is on Windows server and splunk enterprise is on RHEL 6.1.</P> Tue, 11 Jun 2019 16:12:04 GMT rchittip 2019-06-11T16:12:04Z https://community.splunk.com/t5/Splunk-Search/Splunk-search-issues-with-timezone-of-logs-from-forwarders/m-p/413085#M119110 <P>Dears, </P> <P>My Splunk Indexer is in CDT time zone and my forwarder logs are in UTC time zone and there is time difference of 5hrs. When I do the search in my splunk search head, data is getting indexed with 5 hour difference with the current time of splunk indexer. </P> <P>Below are the forwarder logs: </P> <PRE><CODE>2019-06-11 12:50:42 10.100.4.65 GET /Test/GetStoreItemInv/1111/000000/username/ - 9988 - 10.111.195.0 okhttp/2.6.0 - 200 0 0 531 2019-06-11 12:50:42 10.100.4.65 GET /Test/GetStoreItemInv/0910/2882183/username/ - 9988 - 10.111.195.0 okhttp/2.6.0 - 200 0 0 515 2019-06-11 12:50:42 10.100.4.65 GET /Test/GetStoreItemInv/2237/0544067/username/ - 9988 - 10.111.195.0 okhttp/2.6.0 - 200 0 0 578 2019-06-11 12:50:42 10.100.4.65 GET /ITest/GetStoreItemInv/2086/8513336/username/ - 9988 - 10.111.195.0 okhttp/2.6.0 - 200 0 0 671 </CODE></PRE> <P>I had updated the below stanza in on my forwarder /etc/system/loca/props.conf file but still nothing seems to be worked. </P> <PRE><CODE>[ItmInqWebServiceWeb] TZ = America/Chicago </CODE></PRE> <P>For time being, every time I search I'm adding <CODE>"latest=+5h earliest=+45m"</CODE> with my search. </P> <P>Do I also need to update the above stanza in indexer server props.conf as well?</P> <P>Thanks, <BR /> Ramu Chittiprolu </P> Tue, 11 Jun 2019 15:04:14 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-search-issues-with-timezone-of-logs-from-forwarders/m-p/413085#M119110 rchittip 2019-06-11T15:04:14Z https://community.splunk.com/t5/Splunk-Search/Splunk-search-issues-with-timezone-of-logs-from-forwarders/m-p/413086#M119111 <P>Hi,</P> <P>TZ have to be set at parsing time - which means it will not work on universal forwarder. Set the setting on your indexers or intermediate heavy forwarders and it will fix you issue.</P> <P>Best Regards,</P> <P>Andreas</P> Tue, 11 Jun 2019 15:26:33 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-search-issues-with-timezone-of-logs-from-forwarders/m-p/413086#M119111 schose 2019-06-11T15:26:33Z https://community.splunk.com/t5/Splunk-Search/Splunk-search-issues-with-timezone-of-logs-from-forwarders/m-p/413087#M119112 <P>Are you running Forwarder on RedHat Linux ? If yes then is it RHEL 6 or RHEL 7 ?</P> Tue, 11 Jun 2019 15:35:16 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-search-issues-with-timezone-of-logs-from-forwarders/m-p/413087#M119112 harsmarvania57 2019-06-11T15:35:16Z https://community.splunk.com/t5/Splunk-Search/Splunk-search-issues-with-timezone-of-logs-from-forwarders/m-p/413088#M119113 <P>Forwarder is on Windows server and splunk enterprise is on RHEL 6.1.</P> Tue, 11 Jun 2019 16:12:04 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-search-issues-with-timezone-of-logs-from-forwarders/m-p/413088#M119113 rchittip 2019-06-11T16:12:04Z https://community.splunk.com/t5/Splunk-Search/Splunk-search-issues-with-timezone-of-logs-from-forwarders/m-p/413089#M119114 <P>Have you tried with <CODE>TZ=CDT</CODE> on Forwarder ?</P> Tue, 11 Jun 2019 16:17:12 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-search-issues-with-timezone-of-logs-from-forwarders/m-p/413089#M119114 harsmarvania57 2019-06-11T16:17:12Z https://community.splunk.com/t5/Splunk-Search/Splunk-search-issues-with-timezone-of-logs-from-forwarders/m-p/413090#M119115 <P>Yes, I tried below two in props.conf individually and restarted the forwarder but still search results are not correct.</P> <P>[ItmInqWebServiceWeb] <BR /> TZ=CDT </P> <P>[ItmInqWebServiceWeb] <BR /> TZ = America/Chicago</P> Tue, 11 Jun 2019 16:30:47 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-search-issues-with-timezone-of-logs-from-forwarders/m-p/413090#M119115 rchittip 2019-06-11T16:30:47Z https://community.splunk.com/t5/Splunk-Search/Splunk-search-issues-with-timezone-of-logs-from-forwarders/m-p/413091#M119116 <P>When you change timezone config on forwarder, it will apply to only new data. Data which is already ingested will not change with new timezone setting.</P> Tue, 11 Jun 2019 16:32:57 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-search-issues-with-timezone-of-logs-from-forwarders/m-p/413091#M119116 harsmarvania57 2019-06-11T16:32:57Z https://community.splunk.com/t5/Splunk-Search/Splunk-search-issues-with-timezone-of-logs-from-forwarders/m-p/413092#M119117 <P>yes, I have the latest logs updated on the forwarder end but still no luck. Do I also need to update the TZ entry for sourcetype in indexer server as well ?</P> Tue, 11 Jun 2019 16:43:59 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-search-issues-with-timezone-of-logs-from-forwarders/m-p/413092#M119117 rchittip 2019-06-11T16:43:59Z https://community.splunk.com/t5/Splunk-Search/Splunk-search-issues-with-timezone-of-logs-from-forwarders/m-p/413093#M119118 <P>As far as I know, if you are running Forwarder and Indexer version 6.0+ then TZ on forwarder should work.</P> Wed, 12 Jun 2019 08:19:01 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-search-issues-with-timezone-of-logs-from-forwarders/m-p/413093#M119118 harsmarvania57 2019-06-12T08:19:01Z https://community.splunk.com/t5/Splunk-Search/Splunk-search-issues-with-timezone-of-logs-from-forwarders/m-p/413094#M119119 <P>My forwarder and splunk version is 6.6.3. Not sure why this is not working.</P> Wed, 12 Jun 2019 09:09:19 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-search-issues-with-timezone-of-logs-from-forwarders/m-p/413094#M119119 rchittip 2019-06-12T09:09:19Z