I have tried the above without success 😞
By default, Splunk applies time zones using these rules, in this order:
FIRSTLY. Splunk uses any time zone specified in raw event data (for example, PST, -0800).
And my log has an eyecatching EST in it !
e.g. [24/11/11 10:49:57:538 EST] 0000004a ServletWrapper I SRVE0242I: [custom-webapp] [/app]
Then ... Splunk uses the value of a TZ attribute set in props.conf, if the event matches the host, source, or source type specified by the stanza.
And then ... Splunk uses the time zone of the Splunk server that indexes the event.
So I suspect my props.conf is being bypassed because it sees EST in there already.
My host name matches the wildcard in the props stanza
... View more