I have a source type where iis logs copied from another server to the forwarder are being recorded in UTC but not indicating such. Example:
2013-09-13 14:40:00 Blah 255.0.0.0 POST /example/index.aspx - 443 ...etc
The splunk forwarder (as well as the indexer) is in CDT (Central). In the forwarder, I created a props.conf in the path c:\Program Files\SplunkUniversalForwarder\etc\system\local and inserted the following:
[source://c:\logs\path\*.log] TZ = SH
I restarted the forwarder's SplunkFowarder service . I've waited. Splunk is still not translating the times. I even made a change to one log entry as a test, and it's still showing logs from 7 hours ago as the current hour's logs when I do a search for a string in a log entry from 7 hours ago.
Help is appreciated.
Sources used: docs.splunk.com/Documentation/Splunk/5.0.4/Data/Applytimezoneoffsetstotimestamps en.wikipedia.org/wiki/List_of_zoneinfo_timezones