I am having issue with some ironport logs with Time zone. The logs are coming in as UTC "2017-05-04T16:05:40+00:00" but it is actually CDT time. How do i tell Splunk in props.conf to ignore +00:00 at the end and look at it as CDT time zone.
I have tried the following but didnt work
[source:::///.....//.log]
TZ = US/Central
Also tried using [host::2.2.2]
Any help would be welcomed
That time zone offset, if present, takes precedence over the TZ value, per this page -
https://docs.splunk.com/Documentation/Splunk/6.5.3/Data/Applytimezoneoffsetstotimestamps
In order for the TZ to work, therefore, the +00:00 needs to be ignored completely. So you just need to redo the time format for that source type to NOT have that aspect of the input being considered as part of the time stamp.
props.conf -
[source:::///.....//.log]
TZ = US/Central
TIME_FORMAT = %Y-%m-%dT%H:%M:%S
That time zone offset, if present, takes precedence over the TZ value, per this page -
https://docs.splunk.com/Documentation/Splunk/6.5.3/Data/Applytimezoneoffsetstotimestamps
In order for the TZ to work, therefore, the +00:00 needs to be ignored completely. So you just need to redo the time format for that source type to NOT have that aspect of the input being considered as part of the time stamp.
props.conf -
[source:::///.....//.log]
TZ = US/Central
TIME_FORMAT = %Y-%m-%dT%H:%M:%S