We found a solution that worked in our case. We have windows servers in two different data centers, in different time zones. The application log files in each are using the local time zone for the timestamp. We were going to switch based on hostname BUT that introduced problems where log file like IIS which are in UTC, everywhere. We found in the documentation for props.conf that if TZ for a sourcetype stanza is NOT specified, it will default (use) the servers local time stamp. That worked for us. TZ = <timezone identifier>
* The algorithm for determining the time zone for a particular event is as
follows:
* If the event has a timezone in its raw text (for example, UTC, -08:00),
use that.
* If TZ is set to a valid timezone string, use that.
* If the event was forwarded, and the forwarder-indexer connection uses
the version 6.0 and higher forwarding protocol, use the timezone provided
by the forwarder.
* Otherwise, use the timezone of the system that is running splunkd.
* Default: empty string
... View more