https://community.splunk.com/t5/Splunk-Search/Change-time-zone-in-log-indexing/m-p/502566#M139878 <P>In the props.conf stanza for the sourcetype, add <CODE>TZ</CODE> to tell Splunk the time zone.</P> Mon, 09 Dec 2019 11:52:03 GMT richgalloway 2019-12-09T11:52:03Z https://community.splunk.com/t5/Splunk-Search/Change-time-zone-in-log-indexing/m-p/502565#M139877 <P>Hi,</P> <P>I have a log that it has the format below, I need his GMT to be -3h.</P> <P>That is, in the log file the time is <STRONG>(2019-12-08 06: 03: 54.463)</STRONG>, however I need it to be indexed in splunk as <STRONG>(2019-12-08 03: 03: 54.463)</STRONG></P> <PRE><CODE>(2019-12-09 08:04:57.618) (2019-12-08 12:47:17.125) easy_init.27964 (thread #0, tid: 40920) (trace:0) (proc_launch): Process easy_log successfully launched (31412) (2019-12-09 08:04:57.665) (2019-12-09 08:04:57.649) easy_init.exe.27964 (trace:4) (proc_launch): Process dbmon.oci successfully launched (19320) (2019-12-09 08:04:58.571) (2019-12-09 08:04:58.571) tsrv.exe.18260 (trace:0) ([ trace: disabled ] version '8.4' [ build 0 (Jun 11 2019 11:11:18) Update 1220 ]): information (2019-12-09 08:04:58.571) (2019-12-09 08:04:58.571) tsrv.exe.45784 (trace:0) ([ trace: disabled ] version '8.4' [ build 0 (Jun 11 2019 11:11:18) Update 1220 ]): information </CODE></PRE> <P>The regex below correctly indicates the events, however with the times are not gmt -3h</P> <PRE><CODE>LINE_BREAKER=([\r\n]+) NO_BINARY_CHECK=true SHOULD_LINEMERGE=true TIME_FORMAT=%Y-%m-%d%t%H:%M:%S.%3N TIME_PREFIX=^\( disabled=false pulldown_type=true </CODE></PRE> Mon, 09 Dec 2019 10:31:11 GMT https://community.splunk.com/t5/Splunk-Search/Change-time-zone-in-log-indexing/m-p/502565#M139877 leandromatperei 2019-12-09T10:31:11Z https://community.splunk.com/t5/Splunk-Search/Change-time-zone-in-log-indexing/m-p/502566#M139878 <P>In the props.conf stanza for the sourcetype, add <CODE>TZ</CODE> to tell Splunk the time zone.</P> Mon, 09 Dec 2019 11:52:03 GMT https://community.splunk.com/t5/Splunk-Search/Change-time-zone-in-log-indexing/m-p/502566#M139878 richgalloway 2019-12-09T11:52:03Z https://community.splunk.com/t5/Splunk-Search/Change-time-zone-in-log-indexing/m-p/502567#M139879 <P>Set the TZ parameter in the props.conf.</P> <P>Here's the documentation</P> <PRE><CODE>TZ = &lt;timezone identifier&gt; * The algorithm for determining the time zone for a particular event is as follows: * If the event has a timezone in its raw text (for example, UTC, -08:00), use that. * If TZ is set to a valid timezone string, use that. * If the event was forwarded, and the forwarder-indexer connection uses the version 6.0 and higher forwarding protocol, use the timezone provided by the forwarder. * Otherwise, use the timezone of the system that is running splunkd. * Default: empty string </CODE></PRE> <P><A href="https://docs.splunk.com/Documentation/Splunk/8.0.0/Admin/Propsconf">https://docs.splunk.com/Documentation/Splunk/8.0.0/Admin/Propsconf</A></P> Mon, 09 Dec 2019 11:53:20 GMT https://community.splunk.com/t5/Splunk-Search/Change-time-zone-in-log-indexing/m-p/502567#M139879 arjunpkishore5 2019-12-09T11:53:20Z