I am trying to index a WebSphere WAS log, where the time sone format is like this
[24/11/11 10:49:57:538 EST] 0000004a ServletWrapper I SRVE0242I: [custom-webapp] [/app]
- The EST used here I think means Australian EST not American EST !
- Splunk reads the log fine BUT ... it treats the 'raw input' time to US EST
- e.g the entry above which was recorded at 10.49 am is indexed as 11/25/11 2:49:57.538 AM
- this suggests that Spunk has interpreted this date as US EST raw
- and 'wound this date/time' forward to its Oz equivalent namely Nov 25th at 2.49 am
What I actually want Splunk to do is treat this date time as Australian 'as is' - namely the date in the index = exactly the same as the date recorded
I've tried the following changes to props.conf without success
[host::my_host*] TZ = Australia/Melbourne
I suspect that Splunk sees EST in the input file and assumes its US EST and then sees TZ and adds the diff between US EST and Oz to the input values - thus winding my logs entries fwd
I just want them to be treated 'as is'
Can you help ?
