Hello all,
I'm having a bit of an issue with getting the time to get parsed correctly in my Splunk DB Connect data. The setup is that we have DBX running on a heavy forwarder collecting data and forwarding it to Splunk Cloud to be indexed and all that jazz, but the problem is that the time string (with a UTC offset) is not adjusting for the offset, so the events are coming from the future!
Here is the raw event _time and the Splunk time of an example event:
```_time: 2017-04-06T20:29:58.000-04:00 ```
```time: 2017-04-06 20:29:58.0 ```
In the inputs for DBX we have the stanza for the connection setting the TZ = UTC, but I'm not super sure if that matters since it's on the forwarder and not the search head (not search time) or indexer (not index time).
I was also under the impression that UTC times were automatically adjusted in Splunk.
↧