Hello,
I'm using latest Splunk to collect event logs from a number of W2K8 servers as well as Checkpoint. Everything is working just fine except that if I search logs from Checkpoint in Splunk they appear to be two hours ahead (the time is correct, just two hours ahead). I double-checked system clock on the CP Management gateway and Splunk server - it's correct and synced. No issues with logs coming from Windows servers.
Seems like a timezone settings somewhere in Splunk but I can't find it.
PS: Setting timezone for a user didn't help.
Any hints would be greatly appreciated!
Thanks.
The timezone (TZ) can be set in the props.conf file based on either host, source or sourcetype. Here is a quick example:
[host::nyc*]
TZ = US/Eastern
Here is a link to more information:
http://docs.splunk.com/Documentation/Splunk/latest/Data/ApplyTimezoneOffsetsToTimeStamps
The timezone (TZ) can be set in the props.conf file based on either host, source or sourcetype. Here is a quick example:
[host::nyc*]
TZ = US/Eastern
Here is a link to more information:
http://docs.splunk.com/Documentation/Splunk/latest/Data/ApplyTimezoneOffsetsToTimeStamps
Thank you!