I'm using the DB Connect app to pull data from an MS SQL database that is sitting on a server in the US Eastern time zone. The Splunk server with DB Connect is configured in UTC time. The time stamp column I'm using to extract the time stamp from the event is in Eastern time. All of the data I forward to Splunk is interpreted into UTC time but I'm having issues getting this Eastern time stamp from the database to be correctly indexed with a UTC time stamp for _time. We also use an intermediary heavy forwarder to receive the events from the DB Connect server before the events are forwarded to the indexers. It looks something like this:
MS SQL Database Server (EST) <--- Splunk DB Connect Server (UTC) ---> Intermediary Heavy Forwarder (UTC) ---> Indexer pool (UTC)
I've tried adding the following props.conf stanzas to both the DB Connect server and the Heavy Forwarder server but the events are still being indexes with an Eastern timezone time stamp.
[source::mi_input://database_input1]
TZ = US/Eastern
[source::mi_input://database_input2]
TZ = US/Eastern
We are using the output time stamp format of epoch with the following inputs.conf stanza.
output_timestamp_format = epoch
Could this be causing Splunk to automatically assume the epoch time is already in UTC? Perhaps I'm not fully understanding the the function of the TZ stanza.
How can I get Splunk to index the event from the database with a converted time stamp from EST to UTC?
Using Splunk 6.5.1 and DB Connect 2.4.0
↧