I have a redhat 7.4 syslog-ng server with splunk heavy forwarder(8.1.2) installed. server is TZ EST
Server collects udp/514 logs from multiple networking devices and writes them to textfiles like .../syslogs/todays-internetfirewalls.txt/syslogs/todays-routers.txt/syslogs/todays-switches.txt
splunk Heavy Forwarder has data/file monitor inputs for the various text files and are assigned to the appropriate index with the appropriate sourcetypeso some network devices sending udp/514 syslogs to the above server are in different timezones but the entries in the text file written do not adjust for timezones...
example screen attached - In screenshot IP 172.24.63.88 is GMT and 172.24.3.5 is ESTI researched and tried to create an app called Timezones on the HF with a local/props.conf file that just lists...[host::172.24.63.88]TZ = GMT
but when file data is ingested the _time for the IP in GMT is same as it appears in the log file entry with no adjustment to bring GMT time to EST time??any help would be appreciated - I have read several links already and follow a few answers...https://community.splunk.com/t5/Dashboards-Visualizations/Multiple-Timezones-search-worldwide/td-p/9...https://community.splunk.com/t5/Getting-Data-In/Multiple-time-zones-in-props-conf/m-p/286456#M54667
I also checked out this link...Specify time zones for timestamps - Splunk Documentation