Our data source is generating syslog data using UTC. Time in the syslog header is formatted as `Oct 22 15:51:14`. We made the following changes to `$SPLUNK_HOME/etc/system/default/props.conf`:
[host::]
TZ = UTC
The <hostname> specified above is the host generating the syslog message. The CentOS server on which Splunk is installed is initialized to be in the EDT timezone.
We also modified our Splunk application's props.conf as follows:
[source:tcp:]
TZ = UTC
However, when we search the data from Splunk, we don't see the data converted to the local time (EDT/Eastern). Splunk is able to parse the date/time field though.
Are there other configuration changes needed to handle timezone changes?
↧