In our Slave-Apps directory on the 2 peers/indexers we have a custom app created by the prev admin which has setting for TZ to UTC for network devices that are on UTC. Now i am adding new data source (i.e. AD security logs) using UFs on DCs and our DCs are all in EST TZ and hence i would need to list EST TZ in the props.conf.
My Questions are
1) Is this the right stanza for EST time entry
[WinEventLog://Security]
TZ = US/Eastern
I understand i will have to do this on master-apps folder on cluster master and then apply config bundle
2) Will this require a reboot of any peers ?
Hi there,
1 - Yes thats correct
2 - Yes, the cluster master will initiate a restart of its cluster members once you apply the new cluster bundle. Please see here for what requires a restart and what doesnt..
Are you sure the time zone is right? or should it be EST?
Sure am:
http://docs.splunk.com/Documentation/Splunk/6.6.3/Admin/Propsconf --search for "The following example sets Eastern Time Zone"
Ok yeah i see that but its not working for medid u see my props.conf in the below comment and also i am defining TZ by sourcetype and not host will that make a difference ?
I tried with host entry as well it did not work , still when i go to last 4hrs only then i can see events otherwise in realtime search or last 15 or 60mins it does not show up
[host::dc1-corpdc01]
TZ = US/Eastern