Timestamp Issues
Scenario-2: Event timestamp & _time field have a difference, which is the same for all events
Root Cause: Data is coming from a different time zone, but the Forwarder is configured with the UTC timezone. So that difference in the timezones reflected during the search
Solution: Configure the Time zone property “TZ” in the sourcetype, as shown below in props.conf file
[host::nyc*]
TZ = US/Eastern
[host::ind*]
TZ = Asia/Kolkata
[host::canad*]
TZ = America/Glace_Bay
Root Cause: Data is coming from a different time zone, but the Forwarder is configured with the UTC timezone. So that difference in the timezones reflected during the search
Solution: Configure the Time zone property “TZ” in the sourcetype, as shown below in props.conf file
[host::nyc*]
TZ = US/Eastern
[host::ind*]
TZ = Asia/Kolkata
[host::canad*]
TZ = America/Glace_Bay