One of the new features in Splunk 6.0+ is the capability of a forwarder assigning a timezone to an event in the situation where the timestamp can't be parsed from the raw event, and there isn't any props configuration assigning a timezone. This assignment is described as being based on the OS of the forwarder, and ultimately the Indexer itself. Events like this show up as "date_zone = local"
I hoping that somebody has some experience with this interaction, and can explain what happens when you have one or more Intermediate forwarders (source Universal Forwarder sends to Intermediate "Heavy Forwarder" which sends to an Indexer, or even another Heavy Forwarder).
Assuming the whole chain is 6.0+, should we expect the timezone assigned at the Universal Forwarder and stay that way? Or does the assignment happen when the data is "cooked" at the Heavy Forwarder? Or does it happen whenever the event passes through a pipeline at all?
Thanks for any help!
↧
How does timezone assignment work for timezoneless events with one or more Intermediate Forwarders?
↧