Hey MasterOogway,
I had a pain syncing my timezones too, here is the info that helped me out:
First, you should note that the Splunk Indexer sets everything relative to its own time zone. Thus if you want to have the Logs be indexed based on CST, the indexers timezone must be set to CST. The Indexer gets its timezone info from the clock set on the machine its installed on, so to reiterate, the Indexer machines Time and Date settings should be set to CST if that is the timezone you want to base inputs off of. Yes, it is kinda annoying, w/e.
Secondly, all machines that are in a different time zone from your Indexer (anything not in CST) will need to have a TZ setting in props.conf. The TZ setting will be set to whatever timezone the forwarding host is in, thus if the Indexer is in CST and the Forwarder is in EST then the TZ set in props.conf on the Indexer for the Forwarder would be set to EST. Splunk will then figure out the difference between the two timezones and mark inputs accordingly.
I also noticed that you were not using correct TZ codes for the TZ setting, "GMT" is not a correct TZ code. The list of TZ codes can be found here: http://en.wikipedia.org/wiki/List_of_zoneinfo_timezones (Look under the TZ column)
So to wrap up, I think your entry looks good except that "GMT" is not a correct TZ. I would double check that you use the right TZ for daylight savings time, UTC has more zones then GMT with more specific daylight savings times. Use the wiki page above and pay attention to the Standard Time vs Summer Time, for example America/Dawson_Creek has a standard time zone of UTC-07 and no summer time while America/Cambridge_Bay also has a standard time zone of UTC-07 but it has a summer time of UTC-06. If the Indexers timezone and the Forwarders time zones are not synched for daylight savings time then you could hit some nasty bugs whenever daylights savings time changes.
Good Luck and Happy Splunking!
... View more