I have events that are being indexed and appearing to be timestamped in the future. The raw events contain a timezone:
2016 Sep 27 14:11:00:999 GMT +1 DOUGTEST2.C2020Tmp-Process_Archive user [BW-User] Job-9999 C2020GetOfferByIdWS Completed
In props.conf I have:
TIME_FORMAT=%Y %b %d %H:%M:%S.%3N %Z %:::z
The event appears in search showing 15:11 as the time `_time = 2016-09-27T15:11:00.999+01:00`. The event actually happened at 14:11 British Summer Time which is GMT +1 which is what is shown in the raw event. I have my user settings at the correct timezone (GMT:London), my user locale is en_GB in the Splunk Cloud URL and all data from other data sources is showing up correctly in the indexes.
The data is going from a Universal Forwarder to a Heavy Forwarder (where the props.conf is set) and then on to Splunk Cloud.
I have tried adding a TZ = Europe/London to props.conf but that doesn't fix it.
Where am I going wrong here?
↧