I use TIME_PREFIX and TIME_FORMAT to recognize the timestamp of my logs. There is a field, named timezone. It is the timezone of the logs. This value depends on the system generated the logs. It may be timezone=-0400, timezone=+0000 etc. That depends on the coming data. How I can I set the timezone so that _time will adjust correct.
For example:
TIMESTAMP= 2020/04/10 08:20:50.370
timezone = -400
Local timezone of my SPLUNK is +0800, How to set the timezone so that 2020/04/10 08:20:50.370 can be convert to my local time 2020/04/10 20:20:50.370. When I search my data , I want the Time(_time) will shown as my local time.
If you're using a forwarder to send the logs to Splunk, put the props.conf on the forwarder with the TZ setting for that server.
If you're using a forwarder to send the logs to Splunk, put the props.conf on the forwarder with the TZ setting for that server.
No, I don't use forwarder
Consider using [host::...]
or [source::...]
stanzas to set TZ for each host or source.