Thx, MarioM
it Really Helps.
For Russia Moscow props.conf for such logs should looks like this one:
[sourcetype::your_sourcetype_name]
MAX_TIMESTAMP_LOOKAHEAD = custom, for example 31
NO_BINARY_CHECK=1 (Do not check for binary, Speed up Perfomance)
TIME_FORMAT=%d/%b/%y %H:%M:%S.%3N %p (Custom date timeformat, to help indexer understand timespamps, [more info][1])
TZ=Europe/Moscow
TZ should be equals to TZ=Europe/Moscow (Only for logs in Mosow TimeZone (+03.00)).
... View more