I have a log file with events that look like:
< Start >
Timestamp: 2/27/2015 8:34:14 PM
Message: Refresh Scheduler Started
Msg: Refresh Scheduler Started
App Domain: Scheduler.exe
< End >
The timestamp is using UTC when the server is using -5:00. I have created a props.conf file and having it on both the Universal Forwarder and my Indexer. The stanza looks like:
BREAKONLYBEFOREDATE = false
BREAKONLYBEFORE = < Start >
TZ = UTC
I have verified this stanza using 'splunk cmd btool props list lima_log' and it appears correct. However the event's timestamp when searching is +5:00 from what it should be.
What am I doing wrong?
If it matters, I am running Splunk 6.2.1.
Thank you in advance,
You are telling Splunk that the data is in UTC! See line 4 of your stanza! You might want to set
TZ = America/Lima
or any other setting from the TZ database.
Because the Universal Forwarder does not parse the data, you only need the
[lima_log] stanza on the indexer. Finally, a 6.2.1 forwarder will provide local time zone info when it sends data - so if the OS on the forwarder has the right time zone, you should not need the TZ setting at all. (Forwarders prior to Splunk 6 did not do this.)