If there is a log like below that have time zone "+00:00", how can I set different time zone?
2018/5/9 3:00:00+00:00 this is test
If I input this log, system time zone of my splunk server is `JST` and difference of UTC and JST is +9 hours, so normally `_time` will be `2018/5/9 12:00:00`.
But I want `splunk` to recognize this log's time zone is JST, so I configured `TZ = Asia/Tokyo` in props.conf of `HF`.
*In my environment there are `HF` and `Indexer`
Then I was thinking that `_time` would be `2018/5/9 3:00:00`, but `_time` wasn't changed.
Did I set `TZ` in wrong place?
Or if the time zone is described in the log, does it override the `TZ` setting and there is no way to avoid it?
Please someone tell me about it.
↧