I have two sources in Splunk that for some reason started to offset and I don't know why.
sources - source="cisco:ucs:etherTxStats" OR source="cisco:ucs:etherRxStats"
props.conf
[source::cisco:ucs:etherRxStats]
FIELDALIAS-dest = dn as dest
TIME_PREFIX = timeCollected="
TIME_FORMAT = %Y-%m-%dT%H:%M:%S%3N
TZ = UTC
What I am seeing in the logs
broadcastPacketsDeltaMax="434",jumboPackets="3848529",timeCollected="2016-08-29T10:25:59.320",jumboPacketsDelta="0"
The timecollected is in localtime, but indextime is 5:25:59.320 AM which is strange since that is 5 hours before instead of 5 hours after which I would assume given settings in Props. I could fix this by editing props, but this seems like a bug.
I checked and the UCS Pod has its defaults for time and timezone.
Any ideas?
↧
Splunk Add-on for Cisco UCS: Why is the timezone offset for certain sources not working correctly?
↧