Getting Data In

Why is the configured timezone in props.conf on the universal forwarder not being applied?


We're using splunk 6.1 so I think we're able to set TZ in the props.conf on the UF. However this doesn't seem to work, the server is EST and the logs are GMT so the entries show up as being in the future.

We've created the file below:

It only contains these two lines:

Is there anything we're doing wrong? If there's nothing obvious we're planning to update props.conf on the indexer (updating from default to a host regex)



I fixed it like this.

My raw time stamp : TUE APR 07 2015 14:47:58 EST (actual time zone is GMT+10:00 ie Eastern [Australian ] Standard Time not US).

You can use either a host or source based props.conf stanza

props.conf on a 6.1.5 UF.



Either of those should work. Change the TZ_ALIAS setting as required.
So in your case it would be something like :


Assuming your EST = american est. The "GMT=" should be what ever is in your RAW timestamp.

I think this worked due to the order of timezone detection (see list at the bottom)
I would guess that as the TZ setting isn't working because your raw timestamp has a timezone set inside it similar to my example? Which has the highest precedence.

The order as per

  1. If the event has a timezone in its raw text (for example UTC -08:00) use that.
  2. If TZ is set to a valid timezone string use that.
  3. If the event was forwarded and the forwarder-indexer connection is using the 6.0+ forwarding protocol use the timezone provided by the forwarder.
  4. Otherwise use the timezone of the system that is running splunkd.

0 Karma


This seems along the same lines as the question here :

Could you try to specify the timezone configuration at a source-level stanza rather than default?

0 Karma


Has anyone ever made UF based TZ modifications work?

host stanza doesn't work.
source based stanza doesn't work.

0 Karma
Get Updates on the Splunk Community!

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...

Security Highlights | January 2023 Newsletter

January 2023 Splunk Security Essentials (SSE) 3.7.0 ReleaseThe free Splunk Security Essentials (SSE) 3.7.0 app ...