Hey everyone.
I'm wondering how this is possible to accomplish - we have windows server farms across numerous timezones. They all send data to the same group of indexers, which convert everything to UTC.
If all of the windows servers are configured to use their local timezones, but the indexers only have a single props.conf file overriding time zones, how can we specify different time zones for the different servers?
Is it possible to override at the outputs.conf level on the forwarder itself, so I can effectively send out a small app to all of my forwarders that specifies "all hosts, send your data as if it was UTC"?
Everything specifies that this has to be overridden at the input level, but only a single timezone can be specified for a particular input. If you have servers from two timezones sending the same type of input, there needs to be an additional way to specify.
Obviously the best way to do this would to have all of the windows farms running UTC, but it's not my environment, so I can't really dictate that to another team.
