As with many folks, my IIS logs are setup to run with GMT timestamps. I have setup "TZ=GMT" on the sourcetype setup for my IIS logs, set in the indexer under props.conf.
I have multiple IIS servers using the same source type. For most of my servers, all is well and I see that Splunk is converting the timezone to my local timezone (Pacific) based on my settings. However, there are a few servers that I see Splunk is interpretting 2 different timezones, see below:
----------
**10/21/19
7:35:55.000 AM**
*2019-10-21 07:35:55 10.1.24.88 GET /api/..snip.. - 80 - 10.1.24.81 - - 200 0 0 6
host = V-WEB-PA-2-P **source = C:\inetpub\logs\logfiles\W3SVC22\u_ex191021.log** sourcetype = ms:iis:default*
**10/21/19
7:35:54.000 AM**
*2019-10-21 14:35:54 10.1.24.88 POST /api/..snip.. - 80 - 10.1.24.88 - - 200 0 0 2
host = V-WEB-PA-2-P **source = C:\inetpub\logs\logfiles\W3SVC22\u_ex191021.log** sourcetype = ms:iis:default*
----------
Splunk is interpreting log entries with "7:35:xx" and 14:35:xx" as both IIS logs that have happened at 7:35:xx Localtime. The correct and expected interpretation is only log entries with "14:35:xx" should be interpreted that way.
You will notice that the same file is being used to make the two interpretations.
Can anyone please point me in the direction of where I may have mis-configured Splunk, or why this is happening?
Thank you.
↧