We have a HF in UTC timezone that is received log events from an Universal Forwarder running on EDT timezone.
The log events are in UTC timezone.
The HF is configured in non-indexer mode (Indexandforward = false in props.conf ) and
the HF is forwarding the events into an external application attaching a header (Time, hostname)
The issues is:
The time that HF is attaching is in EDT timezone. we want this to be in UTC timezone.
Anyone faced this kind of issue? please suggest solutions.
Below are config details:
props.conf
[mysourcetype]
TRANSFORMS-route_log = route_log_external
transforms.conf
[route_log_external]
REGEX = .
DEST_KEY = _SYSLOG_ROUTING
FORMAT = external_out
outputs.conf
[syslog]
defaultGroup = none
maxEventSize = 50000
[syslog:external_out]
server = 127.0.0.1:12121
type = tcp
timestampformat = %b %e %H:%M:%S
↧