Getting Data In
Provide Splunk Cloud feedback in this confidential UX survey by June 17
for a chance to win a $200 Amazon gift card!

Is it possible to use sourcetype and host stanzas for the same event?


We have the varonis ta and its props has the following section -




However, each varonis server that sends us data has a different time zone and the data doesn't have the time zone as part of it. Therefore, can I have also?


TZ = <Tokyo Time Zone>


Will it work?

Labels (1)
0 Karma


Yes it will. The precedence order will be of the below. 

  • source
  • host
  • sourcetype

An upvote would be appreciated if the above comment is helpful.

0 Karma
Take the 2021 Splunk Career Survey

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!