Hi I'm trying to set up a splunk forwarder to splunk storm on a server. I installed the fowarder, registered the auth key. I am recieving data from our own log and iis. The iis log is in UTC i tried changing the TZ for that but for some reason its still showing up in the dashboard 5 hours ahead of time. any ideas.
Here are my configs SplunkUniversalFowarderetcsystemlocalinputs.conf
[default] host = TRAVEL01USW
[monitor://c:OfferLogHotelsLogger.log]
[monitor://C:inetpublogsLogFilesW3SVC1*] sourcetype = customiis
SplunkUniversalFowarderetcsystemlocalprops.conf
[customiis]
TZ = UTC
SHOULD_LINEMERGE = False
CHECK_FOR_HEADER = True
REPORT - iis2 = iis2
SplunkUniversalFowarderetcsystemlocaltransforms.conf
[iis2]
DELIMS = " "
FIELDS = date, time, s-ip, cs-method, cs-uri-stem, cs-uri-query, s-port, cs-username, c-ip, cs(User-Agent), sc-status, sc-substatus, sc-win32-status, time-taken
Also let me add that it seems that the transform is not working since time_taken is not showing up as a field