Just starting out with Splunk recently, still using the free version for now. My Splunk head, indexer & deployment server is on a Linux sever and I'm running a universal forwarder on a Windows 2008 R2 server.

So far so good, I set up a bunch of inputs via a deployment app on the main install and pushed these to the forwarder.

Logs are being picked up as expected, but timestamps are not being handled as I would expect...

All the servers are (for now) set in the same timezone (EST), and most of our logs use the server local time, but for some types of logs the times are in UTC. This cannot be changed as having timestamps in UTC is defined in the protocol we're using for these logs (FIX protocol, if you must know!).

So I configured inputs.conf as:

[monitor://D:\app1\log\oms*.log]
disabled = false
index = default
sourcetype = Test.OMS

[monitor://D:\app1\log\feed*.log]
disabled = false
index = default
sourcetype = Test.Feed

######## FIX ########
[monitor://D:\app1\log\FIX\*.messages.current.log]
disabled = false
index = default
sourcetype = Test.FixMessages

[monitor://D:\app1\log\FIX\*.event.current.log]
disabled = false
index = default
sourcetype = Test.FixEvents

And props.conf:

[Test.FixMessages]
TZ=GMT

[Test.FixEvents]
TZ=GMT

I have checked the local configs that the forwarder has received from the deployment server and they agree with the above. But when I search for these events in Splunk their times are shifted by 5 hours - the timestamp seems to have been parsed as EST and sequencing of events (as compared to other log files which are EST) gets all weird and funky.

What am I missing here?

Thanks
-Alex