Hi Splunkers & Splunkettes!
So I have a series of devices that logs in UTC as follows:
2011-10-30 23:24:13 0 2 0 0 N 1440 2473 402 249 0.00 0.00 435314688 0 0 0 0 0 8 
I want ensure Splunk treats this as UTC value when searches are run, so I have ensured that TZ = UTC is in the relevant props.conffiles (Yes I have checked the configuration hierarchy).
Despite this, when searches are run, the time stamp doesn't reflect the local time changes:
Splunk Timestamp                Event Timestamp
10/30/11 11:25:01.000 PM        2011-10-30 23:25:01 ...
This is despite other identically configured timestamps reflecting the desired timezone:
Splunk Timestamp                Event Timestamp
10/31/11 10:29:56.000 AM        [30/Oct/2011:23:21:37.560+0000] ...
This is doing my head in, so any and all assistance appreciated!!
 
					
				
		
 
		
		
		
		
		
	
			
		
		
			
					
		The answer might be that your search head is not in UTC timezone.  Splunk uses TZ= in props.conf to figure out what offset to apply to _time during indexing.  But, at display time, _time is formatted from a time_t to a string in the search head's local timezone.
 
					
				
		
 
		
		
		
		
		
	
			
		
		
			
					
		The answer might be that your search head is not in UTC timezone.  Splunk uses TZ= in props.conf to figure out what offset to apply to _time during indexing.  But, at display time, _time is formatted from a time_t to a string in the search head's local timezone.
This was indeed the case! Thanks for the answer 🙂
what's your props.conf? post a copy. You may have got your config hierarchy correct, but the events to point to the stanza is?
e.g here
http://splunk-base.splunk.com/answers/29218/filtering-windows-event-logs
