I spent all morning trying to resolve the next problem.
I work in UTC + 1:00 and I have the machines, and a not splunk forwarder and splunk indexer configured in UTC + 1:00. The same for the splunk accounts.
When I receive a log from one host who doesn't send date/time in their logs, time works perfectly. But in the same index, I have a host who sends date/time in the logs and here is when the problem starts.
I have the correct date/time inside the log but Time and aggregated time are wrong for -1:00 in Splunk.
I tried several props.conf like TZ and nothing changed. The only thing that "worked" was
[sourcetype]
TIME_PREFIX = \"time\"\=
TIME_FORMAT = %H:%M:%S
But Splunk started to index in one event varius logs and still have the system time wrong. Ex:
2/28/18
2:01:04.000 PM
<189>date=2018-02-28 time=13:00:42 ****************************************** date=2018-02-28 time=14:00:42 logid=.....
Thanks for reading.
Does your logs have double quotes around the field date or time?? If yes, give this a try
[sourcetype]
TIME_PREFIX = \"date\"\=
TIME_FORMAT = %Y-%m-%d "time"=%H:%M:%S
Sorry, I used a wrong regex.
I tried that without exp for the ". and doesnt have errors but I still have one time wrong. I tried to this conf
[fgt_logs]
TIME_PREFIX = vd="root" date\=
TIME_FORMAT = %Y-%m-%d time=%H:%M:%S
[host::ESALCMUS01]
TZ = Europe/Helsinki
or with the correct TZ
[host::ESALCMUS01]
TZ = Europe/Madrid
An example how its rigth now.
Ouch, in the img, the time after the img is 8:50