I need to change the timezone for a host sending logs to our production instance.
I have set up a free test instance of Splunk to try this out before making any changes and have been unsuccessful.
I am sending syslog via port 514 and monitoring the var/log/auth.log file on this test instance.
Can anyone offer me guidance on what I am doing wrong?
My changes to props.conf are below.
/opt/splunk/etc/system/local/props.conf
[host::127.0.0.1]
TZ = Americas/Los_Angeles
[host::cb-mint]
TZ = Americas/Los_Angeles
The correct TZ code should be America/Los_Angeles (America without the s at the end).
Edit: Also, just confirm that you're adding this props on your forwarders.
Thank you. It was actually set right in the props.conf and just a typo on my part. My apologies. My test environment does not have any forwarders configured since it is not supported in the Free version. My time zones are still incorrect unfortunately.