Hello, I am indexing data from an MS SQL database using the DB Connect App. The time format is in Unix epoch and is being entered in the database wrong (instead of UTC, it is in UTC + 5:00). Splunk thinks it is in UTC, so it subtracts 5 hours for my timezone (Eastern). While I am working with the application administrator to figure out why time is being entered wrong, I want to tell Splunk the data is in UTC + 5:00, so I see the correct time an event happens - it currently shows that is in the future.
I read all of the articles about configuring the time zone in props.conf. I edited the existing props.conf in /opt/splunk/etc/apps/dbx/default to include the following:
[source::dbmon-tail://database name/index name] TZ = Asia/Karachi
I then restarted the Splunk server, both through the web interface and via command line. The data is still being indexed 5 hours in the future. I tried entering the timezone as GMT+5:00, different Asian time zones, etc. Does anybody have any suggestions?