Solved: Splunk displaying events with the correct timezone

Ant1D · ‎09-04-2012

Hi,

I have some data in an index where the events all begin with a UTC timestamp. My Splunk indexer server is in the UK and I would like the timestamps for these events to be interpreted as being in the Splunk indexer timezone (UK) instead of the UTC.

How can I do this?

At present, if a new event arrives at 11AM UK time, the timestamp will say 10AM which is the UTC time so it means that any searches that I do over the last 60 minutes or less will return no results which should not be the case.

Thanks in advance for your help.

Ant1D · ‎09-04-2012

The solution is to make the following addition to your props.conf file:

[the_sourcetype_name] TZ = the_timezone_that_your_timestamps_are_in

For this question, you would need to add TZ = UTC

View solution in original post

Ant1D · ‎09-04-2012

The solution is to make the following addition to your props.conf file:

[the_sourcetype_name] TZ = the_timezone_that_your_timestamps_are_in

For this question, you would need to add TZ = UTC

whitewool · ‎09-04-2012

Here is the link for TZ settings in the Splunk Docs

http://docs.splunk.com/Documentation/Splunk/4.3.3/Data/ApplyTimezoneOffsetstotimestamps

Ant1D · ‎09-04-2012

thanks for the link

Ant1D · ‎09-04-2012

I tried using the TZ = value attribute before and it didn't work. I guess I can try this again

MuS · ‎09-04-2012

Hi Ant1D

have you check the docs on how to set different timezones?

cheers,

MuS

Ant1D · ‎09-04-2012

thanks for the link

Ant1D · ‎09-04-2012

Looks to be working now

Ant1D · ‎09-04-2012

I tried using the TZ = value attribute before and it didn't work. I guess I can try this again

Splunk displaying events with the correct timezone

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life