Hi all,
I am trying to change the timeset of the forwarders however it it not working.
As indicated in the URL (http://docs.splunk.com/Documentation/Splunk/latest/Data/Applytimezoneoffsetstotimestamps), I have already included the below property in the files:
/opt/splunk/etc/system/local/props.conf
/opt/splunk/etc/apps/"APPS"/default/props.conf
[sourcetype name]
TZ = America/Sao_Paulo
And after reset the splunk, i am still seeing the "_time" in UTC.
I already tried this property using host and source.
What else I need to do to reflect the timezone?
Thanks and regards,
Danillo Pavan
i'm pretty sure the timezone is being converted to whatever you have set, as your timezone, on the search head you're looking up logs from.
try changing your time zone in user settings and see what happens
Yes, changing the user timezone configuration - changing from DEFAULT to the BR, i have the expected results, however it is not what I am finding. I want to have it is defined in the index server not directly in the user settings..
Executing the below query, I still have the "N/A" value for my sourcetypes:
index=sap |dedup host sourcetype | eval date_zone=coalesce(date_zone, "N/A") | eval lagSecs=_indextime-_time | table host sourcetype source date_zone lagSecs.
The Splunk will convert the time into time zone of the indexer. i.e If indexer is running in PST and your forwarder is in UTC, Splunk will convert UTC time to equivalent PST time. With TZ configuration, you will inform Splunk Indexer the time zone of the event. This setting should be on Indexer in case you are using universal forwarder.
From your problem statement it seems that your indexer server is in "UTC" timezone, which is the reason why you are seeing events UTC timezone.
Yes, I have already included the TZ properties however didn´t reflect in the indexer server timezone.
If I execute the below query, I still have my sourcetypes with "N/A" value:
index=sap |dedup host sourcetype | eval date_zone=coalesce(date_zone, "N/A") | eval lagSecs=_indextime-_time | table host sourcetype source date_zone lagSecs.
Not sure how reflect the timezone in the indexer server.