Hey Splunkers, while I was able to be self sufficient in most cases I have one application log server which is driving me crazy. We have working filemonitor but even all files are in the correct tim...
See more...
Hey Splunkers, while I was able to be self sufficient in most cases I have one application log server which is driving me crazy. We have working filemonitor but even all files are in the correct timezone on the sourcesystem the end up 4 hours in the future on Splunk cloud. All other log files from the same middleware application park are correct. We deployed to our UF and allHF's before sending to Splunk cloud Our props.conf is : [oid.prod:log] MAX_TIMESTAMP_LOOKAHEAD = 26 TZ = UTC TIME_PREFIX = ^ TIME_FORMAT = %Y-%m-%d %H:%M:%S.%6N LINE_BREAKER = ([\r\n]+) source event is like : 2021-05-07 20:26:19.3921 "OID" - - - "83270" - - "UserLogout" TRUE - "cn=remedyadmin,cn=service_accounts,dc=dsd,dc=xxxxxx,dc=com" "Operation name: unbind" - "10.3.79.10" - - - - "unbind" - the event time is: 2021-05-07T20:26:19.392-04:00 So how can I fix this so I can avoid to select All Time to display that sourcetype which is 4h in the future, all timezones are set to Easter in Splunk. I am at a loss here and have a similar issue with a syslog source on a different cloud based system.