Splunk adds one hour to timestamp, when indexing logs.
Logs:
9/18/17 3:46:01.000 PM --> time splunk shows
[][hello][please][help][18/Sep/2017:14:46:01 -0500] --> actual log
I have added the below in my props.conf
[host::xyz*]
TZ = US/Eastern
Also tried TZ = America/New_York ( GMT -5:00)
Server shows this date - Sat Sep 30 15:22:18 EDT 2017
↧