How can i change timestamp?(Moscow Timezone inexac...

andrey2007 · ‎01-31-2013

Hello,
i have Splunk on freebsd 8.2 and i collect logs from Cisco Ips with Splunk for Cisco IPS App(using scripted input). Trouble is in timestamps, if event occurs at present moment, i see this event on splunk through some seconds, but with timestamp like this event was one hour ago. On freebsd i have Moscow timezone and correct time, time on Ips corresponds to realtime too, but in Splunk (Manager=>Your account) Moscow timezone is UTC+3, but really Moscow timezone is UTC+4. This is a problem. How can i change timestamps? Or may be somebody knows another solution for this problem.
P.s. i tryed to change props.conf for this app, may be i forgot something? this is my props.conf
[source::/opt/splunk/etc/apps/Splunk_CiscoIPS/var/log/ips_sdee.log.192.22.97.82]
[cisco_ips_syslog]
TZ = AE

yannK · ‎01-31-2013

"Moscow timezone is UTC+3, but really Moscow timezone is UTC+4"
the timezone definition comes from your system TZ tables, double check that your system is up to date on the indexers and search-heads. see in /usr/share/zoneinfo/

on linux you can try any timezone conversion of the current time with
date; export TZ=AE; date

andrey2007 · ‎01-31-2013

Yes, my system is up to date and with correct time, for testing i have one Splunk instance.

How can i change timestamp?(Moscow Timezone inexactness)

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk