Solved: Is there a way to edit props or transforms to keep... - Splunk Community

Getting Data In

I have some logs rolling into splunk (via HF) in UTC time, and it is throwing off users' searching with CST (local time).

Is there a way to edit props or transforms to keep the UTC time but convert it to local CST time?

Or is that not an option?

Thank you

1 Solution

Solution

hello there,

see here in docs:
http://docs.splunk.com/Documentation/Splunk/7.1.2/Data/Applytimezoneoffsetstotimestamps
a nice answer here:
https://answers.splunk.com/answers/135193/splunk-indexing-and-time-zone-normalization.html

hope it helps

View solution in original post

Hi Log_wrangler,

Yes, you can achieve this by using props.conf. Be sure to push this to both UF and HF.

[source::your_source]
TZ = US/Central

Solution

hello there,

see here in docs:
http://docs.splunk.com/Documentation/Splunk/7.1.2/Data/Applytimezoneoffsetstotimestamps
a nice answer here:
https://answers.splunk.com/answers/135193/splunk-indexing-and-time-zone-normalization.html

hope it helps

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers, So you searched, “what is the name of the usb key inserted by bob smith?” Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register Is your ...