Hi Team,
We have Client UFs on UTC. And Splunk HF, IDX and SH on CST timezone. The Splunk Enterprise version is v7.0.4 .
We have created props and tried both TZ=US/Central and TZ=America/Chicago (one at a time) so that when the log is search, we expect that they are no difference on timestamp (_time) and time present on eventdata.
We have the props present on the UF and Heavy Forwarder but not in Indexers.
Unfortunately, the TZ attribute on props.conf seems like not working on Splunk Enterprise version 7.0.4 .
Is this a known bug?
We cannot change the timezone for the user on Splunk Account Setting since it will change something on the other logs that they are working on.
Regards,
Kevin
↧