I have some logs rolling into splunk (via HF) in UTC time, and it is throwing off users' searching with CST (local time).
Is there a way to edit props or transforms to keep the UTC time but convert it to local CST time?
Or is that not an option?
Thank you
hello there,
see here in docs:
http://docs.splunk.com/Documentation/Splunk/7.1.2/Data/Applytimezoneoffsetstotimestamps
a nice answer here:
https://answers.splunk.com/answers/135193/splunk-indexing-and-time-zone-normalization.html
hope it helps
Hi Log_wrangler,
Yes, you can achieve this by using props.conf. Be sure to push this to both UF and HF.
[source::your_source]
TZ = US/Central
hello there,
see here in docs:
http://docs.splunk.com/Documentation/Splunk/7.1.2/Data/Applytimezoneoffsetstotimestamps
a nice answer here:
https://answers.splunk.com/answers/135193/splunk-indexing-and-time-zone-normalization.html
hope it helps