I am sure this question is asked numerous times and there are number of answers around this but for some reason its not working for us.
So, we have an IIS log (w3c) which logs data in Text file in UTC format like "2018-05-02 18:30:00 xx.xx.xx.xx POST /abc/xyz"
The Problem, this log is in UTC and all our users and servers are in EST. While searching or building dashboard, it gets tough to work on two timezone. All other data on servers are in EST.
What we want, along with all data in EST the IIS log should come in Splunk index as EST.
What we tried, we tried query level conversion but thats not efficient enough. Tried Props.conf as suggested in various answers with below formats one by one and none actually helped. Please confirm if we are doing it right..
TZ=UTC
TZ=America/Santiago
TZ=GMT+04:00
TZ=US/Eastern etc
Raw Data: 2018-05-02 18:30:00 xx.xx.xx.xx POST /abc/xyz
Expected Data in Splunk:
_time:14:30:00; Data:2018-05-02 18:30:00 xx.xx.xx.xx POST /abc/xyz
... View more