I am having a problem where _time is extracted in the wrong timezone.
My McAfee Web Gateway is in CDT (TZ = Americas/Chicago), but _time is being extracted in UTC.
Here's an example event where Splunk shows _time = 12/8/17 2:18:58.000 AM:
Dec 8 08:18:58 usproxy43 mwg: McAfeeWG|time_stamp=[08/Dec/2017:08:18:58 -0600]|auth_user=User123|src_ip=172.16.0.2|server_ip=123.234.123.234|host=google.com|url_port=443|status_code=200|bytes_from_client=9247|bytes_to_client=415|categories=Search Engines|rep_level=Minimal Risk|method=POST|url=https://google.com/|media_type=application/x-empty|application_name=|user_agent=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36|block_res=0|block_reason=|virus_name=|hash=|filename=upload|filesize=0|
I was unsuccessful at trying to fix using TZ in props.conf on the Universal Forwarder:
[host::*proxy*]
TZ = America/Chicago
Is my problem with the TZ on the forwarder, or something in the app?
... View more