Hi !

I am having problem collecting logs from windows server 2008R2 . The timezone are always the same with the one on Splunk server (ver 5.0.5).

I have tried to use TZ setting with host stanza but didn't work. But I confirmed that if you force to change the _time with EVAL parameter in props.conf it does work.

[host::WIN-M02LJSSWVMU]

TZ = UTC

EVAL-_time = _time- 32400

I appreciate if someone can share workaround to make splunk server recognize the timezone correctly from the forwarder on windows OS.

I asked this question because I wasn't sure if the below link is already commited to splunk or not. http://answers.splunk.com/answers/9747/are-windows-eventlogs-from-windows-forwarder-lacking-timezone