As with many folks, my IIS logs are setup to run with GMT timestamps. I have setup "TZ=GMT" on the sourcetype setup for my IIS logs, set in the indexer under props.conf.
I have multiple IIS servers using the same source type. For most of my servers, all is well and I see that Splunk is converting the timezone to my local timezone (Pacific) based on my settings. However, there are a few servers that I see Splunk is interpretting 2 different timezones, see below:
Splunk is interpreting log entries with "7:35:xx" and 14:35:xx" as both IIS logs that have happened at 7:35:xx Localtime. The correct and expected interpretation is only log entries with "14:35:xx" should be interpreted that way.
You will notice that the same file is being used to make the two interpretations.
Can anyone please point me in the direction of where I may have mis-configured Splunk, or why this is happening?