Hi all,
I have installed and configured fortiweb for splunk app. The problem is that the time in the log is correct, but the time I receive in the Splunk time column is 7 hours different. It should be mentioned that there is a field in the logs called timezone_dayst that it differs from my time zone by exactly 7 hours.
I also added TZ = MyTimeZone to the props.conf of the app but problem still exists.
For example, in the image below, it can be seen that the time is equal to 8:37, while the log time is equal to 1:07, and of course timezone_dayst has a drift (-3:30 instead of +3:30).
Any ideas are appreciated.
I would recommend making the following checks:
1. The props.conf file is on the indexer machines
2. The props.conf file is readable by the splunk user
3. The TZ value in the props.conf file reflects the timezone of the logs
4. In your Splunk User Preferences in the webUI, your timezone is set to your current timezone
Hi
it's quite possible that your logs have issues in onboarding. It's probably take wrong timezone information from logs or actually cannot find it and for that reason it use some assumptions which seems to to incorrect.
Here https://splunk-usergroups.slack.com/files/U0483CQG4/F06PKREDNLW/masa.pdf is excellent picture/flow how data is ingested into splunk and where you should put different configuration options. It's new version of previous MASA diagram.
r. Ismo