I have a log file with events that look like:
< Start >
Timestamp: 2/27/2015 8:34:14 PM
Information:
Message: Refresh Scheduler Started
Msg: Refresh Scheduler Started
MsgType: Info
Category: General
Priority: -1
EventId: 0
Severity: Information
Machine: SMLIMA
App Domain: Scheduler.exe
ProcessId: 13728
Win32 ThreadId:28176
< End >
The timestamp is using UTC when the server is using -5:00. I have created a props.conf file and having it on both the Universal Forwarder and my Indexer. The stanza looks like:
[lima_log]
BREAK_ONLY_BEFORE_DATE = false
BREAK_ONLY_BEFORE = < Start >
TZ = UTC
I have verified this stanza using 'splunk cmd btool props list lima_log' and it appears correct. However the event's timestamp when searching is +5:00 from what it should be.
What am I doing wrong?
If it matters, I am running Splunk 6.2.1.
Thank you in advance,
Jeremy
I am not sure what I was looking at Friday as when I looked today the events' _time is correct.
Thank you for your help!
I am not sure what I was looking at Friday as when I looked today the events' _time is correct.
Thank you for your help!
You are telling Splunk that the data is in UTC! See line 4 of your stanza! You might want to set
TZ = America/Lima
or any other setting from the TZ database.
Because the Universal Forwarder does not parse the data, you only need the [lima_log]
stanza on the indexer. Finally, a 6.2.1 forwarder will provide local time zone info when it sends data - so if the OS on the forwarder has the right time zone, you should not need the TZ setting at all. (Forwarders prior to Splunk 6 did not do this.)