Splunk search for Events with no timezone specified
Copy
| tstats count where index=* date_zone=local by index, sourcetype
This Splunk search will provide a list of all sourcetypes that currently do not have a timezone set in props.conf. This search can be useful for troubleshooting timestamping issues that can arise when a timezone is not explicitly set. For example, if your Universal Forwarder and Indexer exist in different timezones.
0 comments
[0]
[0]
[0]
[0]
Sign in or Register to submit a comment