We have Splunk instances running in EST, however the application log files are in GMT & EST.
When Splunk is indexing the log files in GMT , the time and the timestamp in the event both are showing up in GMT in search.
So, as per the requirement, we are editing the props.conf file to make the time in EST and timestamp in the event in GMT.
I would like to know what is the best practice and is there a global change i can do to fix the timestamp for all the events in Splunk instance to make them in EST regardless of the log file timestamp?
@srisplunk12 - Did the answer provided by jkat54 help provide a working solution to your question? If yes, please don't forget to resolve this post by clicking "Accept". If no, please leave a comment with more feedback. Thanks!
You will save yourself a lot of grief if you have ALL the servers and logs reporting in UTC, then present them in local time. Failing to enact a simple standard like that, you will be chasing time zones for [ominous voice] the rest of your days.
Whilst not an easy sell in some cases, we took the decision to use UTC everywhere in our environment.
Servers in US, APAC, EU all on zulu.
Takes a bit of getting used to, but makes tracking and correlating events across regions so much simpler.
You could do something like this:
[host::*]
TZ = EST
But i dont think that's going to be what you want to do. If the log timestamps as GMT you want that specific log to be ingested as GMT like this example:
[source::myLog.txt]
TZ = GMT
This way when you're searching in splunk you dont have an event that happened at 5am GMT showing as 5AM EST... because then when you went to investigate on the server you'd be looking at 5AM EST portions of the logs and seeing 10AM GMT stuff...
IF that makes any sense... best to do by source, sourcetype or host if possible.