I have a usecase where my log files have timestamps in various timezones, and I want to generate alerts based on the indexed time(MST). I tried using DATE_CONFIG=NONE, TZ=<> in props, however its not working as expected and search is not recognizing the event as latest. Also, the dedup doesnt work as multiple indexers in cluster are assigning different indexed time.
Hi @richgalloway the problem is our log file entries do not have timezone attribute. Even with above search query, if a entry comes ahead of index timezone, its not getting picked up by my search condition.
For eg: current time in MST(Arizona) - 13:30 MST, log entry created something like this:
11/13/2020 17:20:26 ABC_123 Process failed
Indexed time for above is: 13:30, I want this event to be picked up in search condition. tried with TZ=<> attribute, it didnt work either.