i've a scritpt on a linux forwarder to monitor a load balancer, it's log is a txt file in UTC format, i need to set the time zone to europe/rome, to do this i've setup props.conf on indexer as show below
TZ = Europe/Rome
the result is the same
as you can see event without timestam are logged with the correct time, the time extraction is wrong.
I downvoted this post because this isn't a very helpful comment. telling someone to just read the documentation doesn't help someone find what they're looking for to become better.
As I responded in a previous comment, it seemed to be a general "how do I configure timezones to work" question. As such, I linked to the documentation in my answer.
I get the reasoning behind the downvote. I think it's the type of post that should potentially be downvoted (when it an answer is purposely unhelpful, etc). In this case I simply misunderstood the question, and apologized to the asker prior to the downvote.
When I posted the answer, a pointer to the correct documentation seemed like the best place to start, due to my missing the details in the question about already having attempted to implement the configs.
All in all, it was a reasonable consideration to downvote.
My apologies, I didn't see the props.conf snippet you posted. I read this as a general "how do I use TZ in Splunk" question. @ddrillic's comment seems to identify at least one issue with this configuration.
Based on this screen-shot, these two events don't seem be of
source = NSowa. You see,
source is not listed below the event, only
tnx ddrillic, the source is correct, i don't know why but i've hosted a new screenshot on imgur but the forum don't show it ... i've post a new reply in the main thread with screenshot