Hi,
I have noticed that one of our Splunk indexers whilst indexing data from a host is seems to be using different time locales to covert the timestamps... Any reason for this?
Example: Extract from host: nyl01a-4103 recorded time in Splunk 06/01/2011 17:33:41.000 (This is correct as my UI is in the UK and the host is in NY
2011-01-06 12:33:40,605 INFO DQS [821897797] QueryService - Fetch Size|1000
Example: Extract from host: nyl01a-4103 recorded time in Splunk 06/01/2011 17:33:45.000
2011-01-06 07:33:45,863 INFO DQS [1514448925] QueryServiceUtil - maxFetchSize lookup time: 0
Example: Extract from host: nyl01a-4103 recorded time in 06/01/2011 17:33:58.000
2011-01-06 06:33:58,279 INFO DQS [2063101246] QueryService - Fetch Size|1
Note: All these events returned in the same search. I am guessing there is some timestamp locale setting which needs to be configured any ideas?
I would set explicit time extraction rule based on sourcetype, as well as set the timezone values based on host. For example:
in system/local/props.conf:
[my_sourcetype]
TIME_FORMAT = %Y-%m-%d %H:%M%:S
TIME_PREFIX=^
MAX_TIMESTAMP_LOOKAHEAD=20
[host::nyl01a-4103 ]
# Assuming the server respects DST
TZ=America/New_York
# If the server does not respect DST
# TZ=UTC-4