Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Timezone issue with Splunk on Windows

let_eat_bee
New Member
‎04-12-2012 12:53 AM

I've stucked on a couple of issues on Splunk since there was changes in timezone shift in my country.

The main problem that the Splunk treats event data(all these syslog messages are sent in local time) normally and puts correct timestamp in front of them. BUT it shows incorrect time range when I choose option to search in some time range, not "all time", for example "last 15 minutes" or similar in real-time search:

for example, local time is

10:38:02

but when I choose to search for last 15 minutes it shows me no event data and writes this on the top:

1 result in the last 15 minutes (from 09:23:00 to 09:38:02 on Thursday, April 12, 2012)
as you can see, time range there is incorrect with one hour diffirence.
the same time I've got when issued the search

* | stats count AS tnow | eval tnow = now() | convert ctime(tnow)

result is

04/12/2012 09:38:02

there is no TZ settings in my props.conf(C:\Program Files\Splunk\etc\system\local)

local time on windows server and timezone setting is correct.

I only guess that splunk's C:\Program Files\Splunk\share\splunk\zoneinfo.tzpack file(i guess it copy of zoneinfo) is inactual, Because recently Belarus had UTC+02 timezone and now UTC+03.

What is format of this file ? May I somehow view it's content?

Tags (2)
0 Karma
Reply

let_eat_bee
New Member
‎04-20-2012 12:26 AM

thank you for the answers. As I've already said, I tried to play with TZ in props.conf.
And it affect only on eventdata timestamps, not on that time, taken when "last 15 min" search is chosen(I've mark it in screenshot attatched)
http://imm.io/mCOF
alt text

0 Karma
Reply

let_eat_bee
New Member
‎04-22-2012 07:26 AM

yes, but I use free license with one user
and make changes in config in etc/system/local/props.conf as well which has priority over other configs(per app, per user I mean..)

0 Karma
Reply

araitz
Splunk Employee
Splunk Employee
‎04-20-2012 06:56 AM

Did you see my comment above re: per-user time zones?

0 Karma
Reply

kmattern
Builder
‎04-19-2012 09:25 AM

In your etc/system/local/props.conf add the following stanza

[host::$YOUR_SERVER_NAME$]
TZ=$YOUR_TIME_ZONE$

for example I have my server set to GMT. My stanza looks like this

[host::Win2k8-Splunk]
TZ=GMT
0 Karma
Reply

araitz
Splunk Employee
Splunk Employee
‎04-19-2012 11:19 AM

Don't forget that in 4.3 you can specify a timezone value per user:

http://docs.splunk.com/Documentation/Splunk/4.3.1/Admin/Setupbuilt-inauthentication#Add_and_edit_use...

Reply

let_eat_bee
New Member
‎04-19-2012 05:23 AM

please anyone help me with the problem...

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...