https://community.splunk.com/t5/Splunk-Search/Time-zone-difference/m-p/63517#M180301 <P>Thanks! On props.conf on the indexer, I changed it to this format and then escaped the backslashes with a backslash and it worked. Example below.</P> <P>[source::c:\\logs\\path\\*.log]<BR /> TZ = Atlantic/St_Helena</P> Fri, 13 Sep 2013 21:45:44 GMT DavidGuarneri 2013-09-13T21:45:44Z https://community.splunk.com/t5/Splunk-Search/Time-zone-difference/m-p/63514#M180298 <P>I have a source type where iis logs copied from another server to the forwarder are being recorded in UTC but not indicating such. Example:</P> <P>2013-09-13 14:40:00 Blah 255.0.0.0 POST /example/index.aspx - 443 ...etc</P> <P>The splunk forwarder (as well as the indexer) is in CDT (Central). In the forwarder, I created a props.conf in the path c:\Program Files\SplunkUniversalForwarder\etc\system\local and inserted the following:</P> <P>[source://c:\logs\path\*.log]<BR /> TZ = SH</P> <P>I restarted the forwarder's SplunkFowarder service . I've waited. Splunk is still not translating the times. I even made a change to one log entry as a test, and it's still showing logs from 7 hours ago as the current hour's logs when I do a search for a string in a log entry from 7 hours ago.</P> <P>Help is appreciated.</P> <P>Sources used: <BR /> docs.splunk.com/Documentation/Splunk/5.0.4/Data/Applytimezoneoffsetstotimestamps<BR /> en.wikipedia.org/wiki/List_of_zoneinfo_timezones</P> Mon, 28 Sep 2020 14:46:36 GMT https://community.splunk.com/t5/Splunk-Search/Time-zone-difference/m-p/63514#M180298 DavidGuarneri 2020-09-28T14:46:36Z https://community.splunk.com/t5/Splunk-Search/Time-zone-difference/m-p/63515#M180299 <P>the props TZ is applied at index time, not on the forwarder.<BR /> Specify the TZ in props.conf on the indexer (or heavy forwarder level if any).</P> Fri, 13 Sep 2013 20:30:09 GMT https://community.splunk.com/t5/Splunk-Search/Time-zone-difference/m-p/63515#M180299 yannK 2013-09-13T20:30:09Z https://community.splunk.com/t5/Splunk-Search/Time-zone-difference/m-p/63516#M180300 <P>First, I don't know that the timezone takes the two-character zoneinfo. And the syntax for the <CODE>source</CODE> in <CODE>props.conf</CODE> is not the same as the syntax for <CODE>monitor</CODE> in <CODE>inputs.conf</CODE>. So I would do this.</P> <PRE><CODE>[source::c:\logs\path\*.log] TZ = Atlantic/St_Helena </CODE></PRE> <P>More importantly, this <CODE>props.conf</CODE> entry does <EM>not</EM> go on the Universal Forwarder. It must be where the events are parsed - that means that it should be on all the indexers. </P> <P>However, if you want to do the parsing on the forwarder, you can use a heavy forwarder and do the parsing <EM>before</EM> forwarding to the indexers. This may be your best choice for this forwarder if it is collecting logs from a variety of timezones.</P> Fri, 13 Sep 2013 20:57:02 GMT https://community.splunk.com/t5/Splunk-Search/Time-zone-difference/m-p/63516#M180300 lguinn2 2013-09-13T20:57:02Z https://community.splunk.com/t5/Splunk-Search/Time-zone-difference/m-p/63517#M180301 <P>Thanks! On props.conf on the indexer, I changed it to this format and then escaped the backslashes with a backslash and it worked. Example below.</P> <P>[source::c:\\logs\\path\\*.log]<BR /> TZ = Atlantic/St_Helena</P> Fri, 13 Sep 2013 21:45:44 GMT https://community.splunk.com/t5/Splunk-Search/Time-zone-difference/m-p/63517#M180301 DavidGuarneri 2013-09-13T21:45:44Z