Hi Im running the newest splunk, with syslog-ng fifo pipe as a source
and logs are coming from around the globe,
splunk is in the US so when logs from China are hitting splunk they are like 10h ahead, and they dont show up in search till splunk riches that hour itself
Jun 8 23:37:39 tok-* SYST: Port 29 link active 100Mbs FULL duplex
Jun 8 20:07:40 10.115.1.2 SNTP: The SNTP server parameter value (pool.ntp.org) can not be resolved.
Jun 8 10:37:47 del-## Jun: 8 20:05:42 netTool.sntp: : Failed to sntp request to server 10.**
as you can see logs are coming with local times, and they get indexed like that,
now time on the splunk machine is 10:37 and last log shows 2 time zones,
i dont have source in props.conf
b/c i dont use files to import the logs
all i have is syslog pipe and splunk set up to
[fifo:///var/syslog-ng/syslog_fifo]
disabled = false
host = MYHoST
sourcetype = syslog
how can I change that so all of the logs would be logged with 2 timezones, or just logged with the splunk local time instead of sender local time ?
thanks
... View more