https://community.splunk.com/t5/Splunk-Search/Splunk-Time-stamp-modification/m-p/293924#M161683 <P>good call, dont forget restart! Abilan</P> Fri, 24 Mar 2017 19:18:47 GMT mattymo 2017-03-24T19:18:47Z https://community.splunk.com/t5/Splunk-Search/Splunk-Time-stamp-modification/m-p/293919#M161678 <P>Hi Team,</P> <P>We are in splunk 6.5.</P> <P>Our forwarder machines are having Brasilia Time zone and our indexer is on UTC time zone.</P> <P>I have tried updating the below entry on Props.conf file on my forwarders machine. </P> <P>[test]<BR /> SHOULD_LINEMERGE=false<BR /> TIME_FORMAT=%Y-%m-%d %H:%M:%S,%f<BR /> TIME_PREFIX=^<BR /> TZ=America/Sao_Paulo<BR /> MAX_TIMESTAMP_LOOKAHEAD=25</P> <P>Still I can see the indexed events are in UTC time zone in GUI. Please help me here on this issue.</P> <P>Regards,<BR /> Abilan</P> Tue, 29 Sep 2020 13:23:48 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-Time-stamp-modification/m-p/293919#M161678 Abilan1 2020-09-29T13:23:48Z https://community.splunk.com/t5/Splunk-Search/Splunk-Time-stamp-modification/m-p/293920#M161679 <P><CODE>./splunk btool props list test --debug</CODE> need the sourcetype on the forwarder and indexer. </P> <P>EDIT : updated command to reflect different soucretype. as you have it called test now...other thread is sched</P> Fri, 24 Mar 2017 17:35:05 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-Time-stamp-modification/m-p/293920#M161679 mattymo 2017-03-24T17:35:05Z https://community.splunk.com/t5/Splunk-Search/Splunk-Time-stamp-modification/m-p/293921#M161680 <P>Hi ,</P> <P>Thanks again for your help.</P> <P>I have executed the query on my forwarder. Please find the output below. sourcetype is empty here.</P> <P>/u01/SplunkCloud/splunkforwarder/etc/apps/search/default/props.conf [scheduler]<BR /> /u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf ANNOTATE_PUNCT = True<BR /> /u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf AUTO_KV_JSON = true<BR /> /u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf BREAK_ONLY_BEFORE =<BR /> /u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf BREAK_ONLY_BEFORE_DATE = True<BR /> /u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf CHARSET = UTF-8<BR /> /u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf DATETIME_CONFIG = /etc/datetime.xml<BR /> /u01/SplunkCloud/splunkforwarder/etc/apps/search/default/props.conf EXTRACT-fields = (?i)^(?:[^ ]* ){2}(?:[+-]\d+ )?(?P[^ ]*)\s+(?P[^ ]+) - (?P.+)<BR /> /u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf HEADER_MODE =<BR /> /u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf LEARN_MODEL = true<BR /> /u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf LEARN_SOURCETYPE = true<BR /> /u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf LINE_BREAKER_LOOKBEHIND = 100<BR /> /u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf MAX_DAYS_AGO = 2000<BR /> /u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf MAX_DAYS_HENCE = 2<BR /> /u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf MAX_DIFF_SECS_AGO = 3600<BR /> /u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf MAX_DIFF_SECS_HENCE = 604800<BR /> /u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf MAX_EVENTS = 256<BR /> /u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf MAX_TIMESTAMP_LOOKAHEAD = 128<BR /> /u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf MUST_BREAK_AFTER =<BR /> /u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf MUST_NOT_BREAK_AFTER =<BR /> /u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf MUST_NOT_BREAK_BEFORE =<BR /> /u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf SEGMENTATION = indexing<BR /> /u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf SEGMENTATION-all = full<BR /> /u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf SEGMENTATION-inner = inner<BR /> /u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf SEGMENTATION-outer = outer<BR /> /u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf SEGMENTATION-raw = none<BR /> /u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf SEGMENTATION-standard = standard<BR /> /u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf SHOULD_LINEMERGE = True<BR /> /u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf TRANSFORMS =<BR /> /u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf TRUNCATE = 10000<BR /> /u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf detect_trailing_nulls = false<BR /> /u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf maxDist = 100<BR /> /u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf priority =<BR /> /u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf sourcetype =</P> Tue, 29 Sep 2020 13:23:54 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-Time-stamp-modification/m-p/293921#M161680 Abilan1 2020-09-29T13:23:54Z https://community.splunk.com/t5/Splunk-Search/Splunk-Time-stamp-modification/m-p/293922#M161681 <P>I had the very same issue not so long ago, and the resolution was that the props.conf on the INDEXER needed to have the stanza added, not on the forwarder. </P> Fri, 24 Mar 2017 18:48:05 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-Time-stamp-modification/m-p/293922#M161681 JDukeSplunk 2017-03-24T18:48:05Z https://community.splunk.com/t5/Splunk-Search/Splunk-Time-stamp-modification/m-p/293923#M161682 <P>Which also required that I go to this page on the indexer or restart the indexer service.</P> <P><A href="https://MYINDERXERURL:PORT/en-US/debug/refresh">https://MYINDERXERURL:PORT/en-US/debug/refresh</A></P> Fri, 24 Mar 2017 18:49:44 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-Time-stamp-modification/m-p/293923#M161682 JDukeSplunk 2017-03-24T18:49:44Z https://community.splunk.com/t5/Splunk-Search/Splunk-Time-stamp-modification/m-p/293924#M161683 <P>good call, dont forget restart! Abilan</P> Fri, 24 Mar 2017 19:18:47 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-Time-stamp-modification/m-p/293924#M161683 mattymo 2017-03-24T19:18:47Z https://community.splunk.com/t5/Splunk-Search/Splunk-Time-stamp-modification/m-p/293925#M161684 <P>Hi ,</P> <P>correct name is sched. Just for example I have given it as test.</P> Fri, 24 Mar 2017 19:32:52 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-Time-stamp-modification/m-p/293925#M161684 Abilan1 2017-03-24T19:32:52Z https://community.splunk.com/t5/Splunk-Search/Splunk-Time-stamp-modification/m-p/293926#M161685 <P>We need to see a sample event and your <CODE>inputs.conf</CODE>. It would be nice to see <CODE>transforms.conf</CODE>, too.</P> Tue, 28 Mar 2017 22:50:13 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-Time-stamp-modification/m-p/293926#M161685 woodcock 2017-03-28T22:50:13Z