Our server is forwarding events for us and includes some extra fields at the beginning of each event. One of those fields is the timezone offset of the server.
So the event might look like:
domain,hostname,timezone,path,log_message
Where the log_message contains a timestamp but the timestamp can be in different locations in the log_message and the timestamp can have different formats. The timestamp does not include timezone information.
Splunk does a good job of finding the timestamps and creating the _time to match, but I can't figure out how to apply the timezone field.
I really want to have in my props.conf to have TZ= reference the timezone field from the events:
TZ=timezone
but that doesn't seem to work.
Surprisingly, it seems to work if I add a TIMESTAMP_FIELDS line to the bottom of the source type section like:
[LOGDATA]
EXTRACT-LOG = ^(?<domain>[^,]+),(?<host>[^,]+),[^,]+,[^,]+,[^,]+,(?<timezone>[^,]+),(?<sourcename>[^,]+),(?<TEXT>.+)$
TIME_FORMAT = %m/%d/%Y %H:%M:%S
TIMESTAMP_FIELDS = _time, timezone
Splunk must create the _time field and then update it with the timezone?