Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why is timestamp different in Splunk compared to the logs and can I view the timezone setting in Splunk Web?

rais317
New Member
‎02-03-2015 07:06 PM

I have a question,

Can I view time zone setting in the Splunk web? I need to check what time zone been set in Splunk.

Example log taken from Splunk
Jan 27 08:53:39 xx.xx.xxx.xxx Jan 27 16:51:35 [2015-01-27 16:51:35.984

If you refer to example above, highlighted Italic is refer to ESX Server. ESX setting UTC Time Zone.

To more detail and make easier reader understand.
1. When I click the Splunk App and it appear Internet Explorer (Splunk > Home)
2. Then I click search
3. Then I click Data Summary and appear dialog box to me to choose which ESX. This is more interesting part because column Last Update in my Time Zone
4. After clicking one host then it appear the log report (like example)

Additional Infomation
Splunk install in Windows Server 2008 and time zone in Desktop is local time(+8). I said Splunk installation on this server due to I can see Splunk web services in this server. Lastly I check file "props.conf" not found any TZ.

Hope someone can help me regarding this.

Thanks,

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎02-04-2015 04:28 PM

You can see and edit the time zone used to display data for your user by clicking your user name in the top bar of the Splunk UI.

Reply

Masa
Splunk Employee
Splunk Employee
‎02-06-2015 05:20 PM

Martin already answered to this question.

Additional Info.

"Why is timestamp different in Splunk compared to the logs?"
1. At index time, Splunk parse and set time stamp in epoch time.
2. At search time, Splunk search events with epoch time based on User's timezone so that user can see when the event happened based on user's time.

http://docs.splunk.com/Documentation/Splunk/6.2.1/data/Applytimezoneoffsetstotimestamps

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...