I am using eventgen to send license_usage data to a test splunk server. I looked at what was being sent and the time is set to -0700 which is Mountain Daylight time. My server on my VM is Centos 6 running on Mountain Daylight time and my Mac which has my browser is also set to Mountain Daylight time. Here is the event sent to the server:
03-31-2016 00:00:00.000002 -0700 INFO LicenseUsage - type=RolloverSummary pool="auto_generated_pool_enterprise" slave="02AF8C6E-219F-4598-B8D5-C5D8CE74F8C7" poolsz=177167400960 b=31072775414 stack="enterprise" stacksz=177167400960
On the left side of the event list where it shows the time, it says 1:00:00.000 AM and when looking at the _time value listed when you click the left cell, it shows the time as 2016-03-31T01:00:00.000-06:00
I have no clue where the -0600 is coming from since everything is set to -0700. It is my understanding that 6.2 uses the timezone in the date if specified then the TZ variable, ... I did add a TZ variable to my props.conf file in the local app using eventgen and also in eventgen but that made no difference which makes sense since the event has -0700. Where do I look? Any clues?
↧