- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- How do I set timezone properly in props.conf?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Our data source is generating syslog data using UTC. Time in the syslog header is formatted as Oct 22 15:51:14. We made the following changes to $SPLUNK_HOME/etc/system/default/props.conf:
[host::<hostname>]
TZ = UTC
The <hostname> specified above is the host generating the syslog message. The CentOS server on which Splunk is installed is initialized to be in the EDT timezone.
We also modified our Splunk application's props.conf as follows:
[source:tcp:<port>]
TZ = UTC
However, when we search the data from Splunk, we don't see the data converted to the local time (EDT/Eastern). Splunk is able to parse the date/time field though.
Are there other configuration changes needed to handle timezone changes?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The only file that you should need to use is this:
$SPLUNK_HOME/etc/apps/<YourApp>/default/props.conf
Assuming that all hosts are UTC, you can just add this:
[default]
TZ=UTC
You should NOT modify anything about how Splunk talks to itself. Splunk always normalizes every event to UTC for indexing (creating the _time field) so all it needs to know is the TZ that is used for each event's timestamp. The Indexers know how to check host OS to determine UTC of system clock.
The reason that you "do not see data converted to EDT" is because you are misunderstanding how Splunk works. You need to go to Your Account Name -> Edit Account -> Time zone and select the TZ that you will be using to talk to Splunk. Next, on the Events tab, find the Raw/List/Table link on your Search Head that is just above your search results and just under the graph and all the way to the left and make sure it is set to List. This will add a column to your search results called Time which will show your preferred normalized timestamp (in your case, EDT). The timestamp inside the raw event will never change and will always be exactly the way it was when the thing that generated it sent it to splunk.
Also, only newly indexed events are effected by changes to this setting; older events will stay "wrong".
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The only file that you should need to use is this:
$SPLUNK_HOME/etc/apps/<YourApp>/default/props.conf
Assuming that all hosts are UTC, you can just add this:
[default]
TZ=UTC
You should NOT modify anything about how Splunk talks to itself. Splunk always normalizes every event to UTC for indexing (creating the _time field) so all it needs to know is the TZ that is used for each event's timestamp. The Indexers know how to check host OS to determine UTC of system clock.
The reason that you "do not see data converted to EDT" is because you are misunderstanding how Splunk works. You need to go to Your Account Name -> Edit Account -> Time zone and select the TZ that you will be using to talk to Splunk. Next, on the Events tab, find the Raw/List/Table link on your Search Head that is just above your search results and just under the graph and all the way to the left and make sure it is set to List. This will add a column to your search results called Time which will show your preferred normalized timestamp (in your case, EDT). The timestamp inside the raw event will never change and will always be exactly the way it was when the thing that generated it sent it to splunk.
Also, only newly indexed events are effected by changes to this setting; older events will stay "wrong".
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
With respect to above answer, in my case the user has to see data for more than 20 servers which are in different time zone. So it is practcally impossible to chnage the TZ from settings menu each time user navigates to different server. I want the dashboard to automatically show the data in source server time zone. How can this be done automatically?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is indeed a flaw in Splunk's overall design. Please open an Enhancement Request Ticket requesting that dashboard panels with a timepicker have the option for a control to select any TZ to apply.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
First of all, you shouldn't change anything in the folder $SPLUNK_HOME/etc/system/default. You should make all the changes to $SPLUNK_HOME/etc/system/local. Secondly, which server (Forwarder/Indexer) did you make this props.conf changes and did you restart the splunk server after making the change?
Adoption of RUM and APM at Splunk
Routing logs with Splunk OTel Collector for Kubernetes
Welcome to the Splunk Community!
