My indexers and searchheads in my central datacentre are configured in UTC timestamp but I have universal/light forwarders around the world in many different time zones.
I know the hosts my forwarders are installed on have correct time zone settings. So I'd like to use the host timezone (point number 3 in this document) rather than override it but I can't get it right.
Hence my 2 questions : * How does splunk determine the splunk server time zone (if running on linux)? * Where is the time zone evaluated : in my case, if it's at the indexer level, it won't help...