WE have data coming from syslog which is like below : 2021-06-16T19:03:02+02:00 XXXXXXXXXX - (6/16/21 5:03:02.000 PM - splunk extracted time) 2021-06-16T19:02:58+02:00 XXXXXXXXXX - (6/16/21 5:02:58.000 PM - splunk extracted time) these data's are sent to indexer from syslog via heavy forwarders , data from syslog is actually in the UTC time zone but +2:00 have been appended wrongly in the syslog data , splunk intelligence is taking +2:00 and substracting it from utc time and there is 2 hour time gap , inorder to extract correct time stamp we placed props.conf in the heavy forwarder (config below) but still the extraction is not working . ensured that on disk config is coming as below but still required timestamps are not extracted , still there is time gap of 2 hours . TIME_PREFIX = ^ MAX_TIMESTAMP_LOOKAHEAD = 20 TIME_FORMAT = %Y-%m-%dT%H%M%S LINE_BREAKER = ([\n\r]+) SHOULD_LINEMERGE = false TRUNCATE = 999999 Any solutions to extract highlighted time ?
... View more