With timestamp assignment set to CURRENT the TZ setting doesn't matter since the timestamp is getting assigned based on the receving component's OS time.

You effectively broke the event recognition completely. DATETIME_CONFIG = CURRENT means that you're not recognizing the timestamp from the event but assuming the current timestamp of the receiving component. That is wrong. If you have any delays in the ingestion process, your data will not be properly timestamped.

This is _not_ the solution of the original problem. This is a way of a short-term avoidance of the problem but not the solution.

Hello,

I'm working on the indexer's props.conf. I've tried it with and without TZ = UTC and it's still reading 4 hours into the future.

What do you mean by "4 hours into the future". The timestamp you posted in the example event references 18:55:17 UTC (1761764117 as epoch-based unix timestamp).

The indexer is not recognizing the then 4 hour offset from UTC; I say then because we flipped form EDT to EST over the weekend. So, when an event is received by the indexer at 08:00:00 EDT, the 12:00:00UTC time is being recognized and Splunk holds that event until noon EDT.

I see that happen a LOT.  It's usually because the TIME_FORMAT string does not account for the time zone in the event, but you say you've done that.  Here are some things to check

• props.conf settings are correct, including attribute spelling and regular expressions
• Props are installed on the right instance(s)
• Props are not overridden by settings in other apps.  Use btool to check that.
• Instances are restarted after making props changes.
• Props in sourcetype stanzas are not overridden by props in host:: or source:: stanzas

Are you sure it's not something on your end? With the time(zone) configuration on your SH?

What do you get if you run

| makeresults 
| eval _time=strptime("2025-10-29T14:55:17-04:00","%Y-%m-%dT%H:%M:%S%z")
| eval time=strftime(_time,"%s")

No. It actually does match the format. It's a bit unfortunate that the offset is "glued" to the time part but it seems to match.

And since the timestamp references timezone definition, the TZ setting for the sourcetype should be ignored.

So there's something else here. Are the settings defined in the right place on the right component? (and aren't they overwritten by settings from another app?)

I believe I have the stanza in the correct location, here's a btool output and the sourcetype in question is only in one of two places.

splunk@splk-indexer01:~$ /opt/splunk/bin/splunk btool props list audit:log --debug
/opt/splunk/etc/system/local/props.conf   [audit:log]
/opt/splunk/etc/system/default/props.conf ADD_EXTRA_TIME_FIELDS = True
/opt/splunk/etc/system/default/props.conf ANNOTATE_PUNCT = True
/opt/splunk/etc/system/default/props.conf AUTO_KV_JSON = true
/opt/splunk/etc/system/default/props.conf BREAK_ONLY_BEFORE = 
/opt/splunk/etc/system/default/props.conf BREAK_ONLY_BEFORE_DATE = True
/opt/splunk/etc/system/default/props.conf CHARSET = UTF-8
/opt/splunk/etc/system/default/props.conf DATETIME_CONFIG = /etc/datetime.xml
/opt/splunk/etc/system/default/props.conf DEPTH_LIMIT = 1000
/opt/splunk/etc/system/default/props.conf DETERMINE_TIMESTAMP_DATE_WITH_SYSTEM_TIME = false
/opt/splunk/etc/system/default/props.conf HEADER_MODE = 
/opt/splunk/etc/system/default/props.conf LB_CHUNK_BREAKER_TRUNCATE = 2000000
/opt/splunk/etc/system/default/props.conf LEARN_MODEL = true
/opt/splunk/etc/system/default/props.conf LEARN_SOURCETYPE = true
/opt/splunk/etc/system/default/props.conf LINE_BREAKER_LOOKBEHIND = 100
/opt/splunk/etc/system/default/props.conf MATCH_LIMIT = 100000
/opt/splunk/etc/system/default/props.conf MAX_DAYS_AGO = 2000
/opt/splunk/etc/system/default/props.conf MAX_DAYS_HENCE = 2
/opt/splunk/etc/system/default/props.conf MAX_DIFF_SECS_AGO = 3600
/opt/splunk/etc/system/default/props.conf MAX_DIFF_SECS_HENCE = 604800
/opt/splunk/etc/system/default/props.conf MAX_EVENTS = 256
/opt/splunk/etc/system/default/props.conf MAX_EXPECTED_EVENT_LINES = 7
/opt/splunk/etc/system/local/props.conf   MAX_TIMESTAMP_LOOKAHEAD = 30
/opt/splunk/etc/system/default/props.conf MUST_BREAK_AFTER = 
/opt/splunk/etc/system/default/props.conf MUST_NOT_BREAK_AFTER = 
/opt/splunk/etc/system/default/props.conf MUST_NOT_BREAK_BEFORE = 
/opt/splunk/etc/system/default/props.conf SEGMENTATION = indexing
/opt/splunk/etc/system/default/props.conf SEGMENTATION-all = full
/opt/splunk/etc/system/default/props.conf SEGMENTATION-inner = inner
/opt/splunk/etc/system/default/props.conf SEGMENTATION-outer = outer
/opt/splunk/etc/system/default/props.conf SEGMENTATION-raw = none
/opt/splunk/etc/system/default/props.conf SEGMENTATION-standard = standard
/opt/splunk/etc/system/default/props.conf SHOULD_LINEMERGE = True
/opt/splunk/etc/system/local/props.conf   TIME_FORMAT = %Y-%m-%dT%H:%M:%S%:z
/opt/splunk/etc/system/local/props.conf   TIME_PREFIX = ^
/opt/splunk/etc/system/default/props.conf TRANSFORMS = 
/opt/splunk/etc/system/local/props.conf   TRUNCATE = 75000
/opt/splunk/etc/system/default/props.conf detect_trailing_nulls = false
/opt/splunk/etc/system/default/props.conf maxDist = 100
/opt/splunk/etc/system/default/props.conf priority = 
/opt/splunk/etc/system/default/props.conf sourcetype = 
/opt/splunk/etc/system/default/props.conf termFrequencyWeightedDist = false
/opt/splunk/etc/system/default/props.conf unarchive_cmd_start_mode = shell

Hello,

I've tried the suggested TIME-FORMAT with and without TZ = UTC and it's still reading 4 hours into the future.

The TIME_FORMAT setting must be on the first full Splunk instance that receives the data.  That's usually an indexer, but could be a heavy forwarder.  The TZ should be on the UF.  Both instance types must be restarted after changing a props.conf file before the change will take effect.

Changes to TIME_FORMAT, TZ, and other props settings will not change events that are already indexed.  They only affect new data as it arrives.

Struck out here as well.

@b17gunnr do you mind describing the architecture? per the direction of @richgalloway  

Hello,

It is a straight-forward solution. I have a UF that is reading an internal file and forwarding contents to the Indexer. The Indexer is receiving those updates in UTC minus US eastern time offset (now 5 hours) but is not adjusting as per changes made to the Indexer's props.conf. All suggestions were tried and restarts took place after each change. No change in status...