We are moving our Splunk server (everything is on this one server) however the old and new servers are in different timezones so all of my date before the move is now one hour earlier then it should be.
How can I stop this from happening? We have many dated only (no time) events and it is changing the day these events took place.
Thanks!
How can I move the data in my pre move to a different time zone?
I am indexing w/o any time zone specification.
There is no way to do that, the data indexed is "carved in stone".
You are better deleting and reindexing if you have the original data.
see http://answers.splunk.com/answers/72562/how-to-reindex-data-from-a-forwarder
The only hack to display results correctly at search time, could be to search over larger timerange, then change the _time field selectively.
Example to add one hour to all your events :
<mysearch> <mylargertimerange> | eval _time=_time+60*60 | search <myfinaltimerange>
That is what I was thinking but how do I enforce a time zone on data that has already been imported?
I am indexing w/o any time zone specification.
then this is the issue, splunk default to the indexer timezone, that may not the same than your data, use the previous documentation link and enforce a timezone.
How can I move the data in my pre move to a different time zone?
I am indexing w/o any time zone specification.