Splunk Search

Does TZ value specified in props.conf apply only to the Index timestamp?

SwatiApte
Path Finder

Hi,

The data that we fetch from a database has multiple time based columns (one in UTC, and the rest in BST). Our Splunk server is on BST. We are running Splunk 6.1.5 and DBC 1.1.6. We initially thought of converting the UTC based column using the oracle timezone cast function and get it as per BST. But then since we specified this as our rising column, it wasn’t picking data for the past 1 hour as the CAST function it by an hour.

We then tried to make an entry in the props.conf to specify that our data is in UTC. Now the column that was in UTC is being indexed as expected and is showing the converted value on our dashboard. However all the other time columns have still got the BST values. We want to understand if specifying the TZ value applies only to the indexed column or for all columns in the event message ?

0 Karma

woodcock
Esteemed Legend

When you tell Splunk how to timestamp an event ant tell it what Timezone to use with the TZ parameter in props.conf, this does only apply to the field that you specify that Splunk use for timestamping, which you can see as field _time. However, the data in the event itself is absolutely not modified in any way and you have to do this yourself using the strftime and strptime and relative_time functions to normalize it to your needs (you can create a macro for this to make it semi-automatic and less of a hassle). You could also convert the data in your DB (I know). You could also convert each datetime in the SQL query itself to force it to come into Splunk pre-normalized to whatever TZ you like; this is documented here:

http://stackoverflow.com/questions/19613638/sql-server-convert-datetime-into-another-timezone

Lastly, you need to tell your Splunk web session what timezone you are in, too! Go to `` -> Edit account -> Time zone and set it correctly for your timezone.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...