Re: UTC Time Zone Offset Not Working for Host

ejwade · ‎05-17-2019

I have a single Linux syslog stream, containing logs from multiple hosts, coming into a Splunk indexer through a TCP port - 1027. The source=tcp:1027 and sourcetype=syslog. The host is assigned using default settings, but I also have the following in place:

props.conf
[source::tcp:1027]
TRANSFORMS-syslog-forwarded-hostrewrite01=syslog-forwarded-hostrewrite01

transforms.conf
[syslog-forwarded-hostrewrite01]
DEST_KEY = MetaData:Host
REGEX = ^\S+\s+[0-9]+\s+[:0-9]+\s\S+\sMessage forwarded\sfrom\s?(\S+):
FORMAT = host::$1
disabled = 0

There's a specific host "utc-host" that is send logs in UTC. Our indexer and users are in Pacific Time. To offset this, I created the following configuration:

props.conf
[host::utc-host]
TZ = UTC

Unfortunately, this did not work. I did cmd btool props list to confirm the configurations were committing to Splunk's running configuration. Any tips?

richgalloway · ‎05-18-2019

btool shows the configuration that will be used the next time Splunk restarts. Did you restart Splunk after making changes to props.conf?

---
If this reply helps you, Karma would be appreciated.

ejwade · ‎05-20-2019

Yes - many times.

UTC Time Zone Offset Not Working for Host

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Data Management Digest – May 2026

Join the Conversation