I currently have the following in my props.conf (real values were replaced by x's) which matches the names of all my ESXi hosts: [host::xxx-*xxx-*] TZ=UTC What I'm finding is that some events from the hosts are showing up under the proper time stamps (e.g. UTC adjusted to EST) and others are showing up under different timestamps (basically it appears that the time is being adjusted twice). For the following event, the raw event text is correct. It shows the proper timestamp adjustment, but the timestamp that Splunk lists for the event while searching is 9/13/12 8:36:20.000 AM which has been adjusted backwards by an additional 4 hours: Sep 13 12:36:20 hostname.xxx.xxx Sep 13 16:36:20 Hostd: [2012-09-13 16:36:20.418 56682B90 info 'ha-eventmgr'] I'm also receiving events from the hosts like the following that appear to be part of a multiline event (they contain no date/time values in the event text), but these are showing up with the proper timestamps when searching (such as searching events from the past 15 minutes): xx.xxx.xxx.xxx: icmp_seq=0 ttl=255 time=0.447 ms Any ideas where I should look to figure out what is happening? I have one host that currently is coming in under its IP address instead of host name (and thus isn't matching the timezone rule in the props.conf) and the events are showing up with the proper timestamp. If I remove the entry from the props.conf, the events that contain no date/time information end up receiving timestamps in the future (basically the UTC value). ... View more