My splunk forwarders are light forwarders, so I am setting my timezone offset for my web servers with the following on my splunk indexer, in my default app si_idx (/opt/splunk/etc/apps/si_idx/default/props.conf) I place the following:
[host::web*]
TZ = UTC
My web servers are logging in UTC, the event data is as follows:
10:53:24.699
2011-09-27 10:53:24,699 [27] DEBUG SPIN.Wholesale.Presentation.BL.Managers.ChannelRequestManager Channel d3ffba61-0f1a-4e4f-8536-24593a89090b requested at: 27/09/2011 10:53:24
and I wish the splunk timestamp to be one hour later (Europe/London).
The entry in props.conf above does not work when I restart splunk, the splunk timestamp is still in UTC. Where am I going wrong?
thanks, conor
... View more