Getting Data In

Device specific timezone in splunk

splunker12er
Motivator

If i set Timezone specific to host names , how do splunk search for the results ,

say for eg :

I have a device in Sweden , i set the (props.conf) timezone for this device (TZ) to sweden time
another device is in Australia , i set the timezone to Australia time.

i have my Splunk deployment in UTC timezone, So when I do a custom time search , how the results are displayed ?

Tags (2)
0 Karma

fara3
Explorer

I am using SplunkJS Stack to do splunk queries using javascript.

Is there any way to define in splunkjs.config that the user is in a specific timezone (Taking by the browser?)?What happens if a swedish user logs in the app and in the next day logs in with the same user in the application staying locally in Seattle?

Best Regards

0 Karma

grijhwani
Motivator

Whatever zone an event is localised to (be that through express definition of the zone, inferred from the source's host time zone, or failing those from the indexer's timezone), it is indexed standardised to UTC. The time presented in a search is then localised to the searching user's timezone.

So for instance, an event logged in Sweden, when displayed localised to a London user will be time-stamped an hour earlier, or for a Bombay user 4h30 hours later in winter, or 3h30 in summer (because India doesn't do daylight savings). In other words it will be presented within the user's own frame of reference, and the time of the event will be that as they would have experienced it themselves.

splunker12er
Motivator

_time is Device time
_indextime is the time the event is indexed in Splunk

So , splunk always searches for the results in local timezone (in my case UTC) but i can see the events containing timestamps specific to their origin , i.e naative time ?

Am i right with this understanding ??

0 Karma

splunker12er
Motivator

If splunk search happens based on the _indextime , whats the benefit I will be getting by setting device specific TZ

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...