Hello, we have a syslog device that is sending log in UTC, but we need them to be in US/Pacific. Where do I set the TZ setting? Searchhead? Indexers? HeavyForwarder?
If the data is being received at the HeavyForwarder then set it at the HF, if the data is going straight to the indexers set at the indexers. Never the searchhead.
I think this one may help you, https://answers.splunk.com/answers/116959/timezone-configurations.html
If the data is being received at the HeavyForwarder then set it at the HF, if the data is going straight to the indexers set at the indexers. Never the searchhead.