TimeZone specification in props.conf on a SplunkUniversalForwarder instance does not appear to be working for me.
SplunkUniversalForwarder instance version 6.3.2
Splunk instance (indexer) version 7.0.0
The application server running the forwarder is in US/Eastern system timezone (cannot change)
The logs are generated in UTC without a timezone specifier in the string (cannot change)
As the logs are received by Splunk they are interpreted as being UTC-5 as I suppose the forwarder is appending its system timezone. As the _time field is subsequently converted to UTC we see logs with time values 5 hours in the future.
I want to configure the forwarder instance to explicitly state that the timezone of the records it's sending on is UTC. I've tried the following:
props.conf in:
- apps/appname/local
- apps/appname/default
- system/local
- system/default
I've tried several different stanzas to match the log monitors, for example:
[sourcetype]
TZ = UTC
[host::hostname*]
TZ = UTC
[source::...//logs//debug_*]
TZ = UTC
[default]
TZ = UTC
All to no avail. Actually I am now at the point where I don't think the configuration is a problem, but it may still be. I don't see any difference to the logs imported regardless of which of the above options I use, so it's like it's being overridden at the indexer or simply not picked up.
Documentation suggests that the forwarder should be able to append TimeZone information from props.conf post version 6 and that this ought to be respected when indexed. I'm not seeing this behaviour at all. I don't want to / can't configure this at the indexer as I have servers in multiple different timezones, they each need to be able to specify the source tz information.
Can anyone suggest any other avenues of exploration? Thanks in advance.
... View more