I have a database log that comes in with a time stamp which is used by Splunk as the time stamp. However, I noticed the time is in UTC which is neither my time zone nor the time zone the server is in, but somehow the Database admin can't change the time reported in the raw log.
Is there a way to have Splunk convert the time to MST or its own time zone that matches that of my other logs? Can I put this in the props.conf file so it's done on the indexers before the logs are searched?
What command/string can I put in the props.conf file to make this change?
Thanks,
↧