I have systems that forward logs via syslog-ng to my splunk server. Systems are in different TZ's mix of EDT and GMT my splunk server/indexer is in EDT. I have the TZ offset displayed in log entries being sent to splunk server. Two questions will splunk read TZ offset and display indexed entries in EDT without me having to put an entry for each host in the props.conf? If splunk will do automatically is there a certain postion the TZ offset has to be in? Current format: Sep 6 15:38:14 hostname +00:00
You can use a regex to match a set of hosts...have you looked at specify time zones of timestamps in the Getting Data In manual? The example there is pretty close to your situation, if I am understanding you correctly.