Getting Data In
Highlighted

Set Time Zone for IIS logs - 4.2.3

New Member

I have added TZ=GMT to the props.conf under [iis] and restarted splunk. The Server is CST.
From what I have read the new indexed data will reference the new time. How do you reference the existing index data to the new time. I am having to adjust searches with "latest=+360m" to get current results.

Tags (4)
0 Karma
Highlighted

Re: Set Time Zone for IIS logs - 4.2.3

Splunk Employee
Splunk Employee

You cannot fix/change the already indexed data. However, you could use the eval command to manipulate the old _time value so it is offset. So add to the search for the old data:

| eval _time=_time-3600

The above would offset the time by -1 hour. You could programatically use if/case statements and the eval command to force a new time value for the older data.

0 Karma