I've got a variety of customers sending data in to our Splunk indexer. One particular customer has all of their servers set to GMT time (coincidentally our only Linux customer on this particular indexer).
I've modified the props.conf to reflect the following:
[linux_secure]
TZ = GMT
The _time field has not changed. Is this the local (Splunk indexer time) when the event was indexed? Will the _time field never change regardless of TZ change?
The reason for this question is that I have a time reporting in within the event of `2016-02-17T13:44:15.717997+00:00` and a _time field of `2016-02-17T08:44:15.717-05:00` obviously an offset of 5 hours.
Thanks!
↧