I believe I do need to process the timezone information in each individual log message because different messages may come from different timezones (GMT -5, GMT +1, GMT +10, etc). Is there a way in Splunk to parse it?
Alternatively, going back to a solution using DATETIME_CONFIG = NONE, I would somehow need to tell Splunk to take a file modification date, but without the timezone information - perhaps your suggestion, TZ = YourTZ, would work here.
Regarding %n formatter, I used it to represent a white space. I followed the Unix strptime specification on
http://pubs.opengroup.org/onlinepubs/009695399/functions/strptime.html
linked from
http://docs.splunk.com/Documentation/Splunk/latest/Data/Configuretimestamprecognition.
Perhaps your link (a Python specification) should be there instead.
Many thanks.
... View more