Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Timezones - what am i missing?

Sqig
Path Finder
‎09-28-2012 12:52 PM

Hi.

We have some log data where each line starts with a timestamp that looks like this:

2012-09-28 15:44:35,302

Nothing else in the data looks anything like a timestamp.

Splunk is indexing this as UTC, so it displays 4 hours earlier.

The timezone on the source server is in Eastern.

We are running a Splunk Universal Forwarder there, so on the Heavy Forwarder, I have the following:

[my_sourcetype_here]
TZ = US/Eastern

For what it's worth, I also tried with [host::hostnamepattern*]

Neither seem to have taken effect with newly-indexed events, despite actually restarting the Heavy forwarders!

Am I missing something here?

Thanks.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Sqig
Path Finder
‎10-02-2012 10:43 AM

If I could remove a question I have posted, I would in this case. This was user error on my part and not anything to do with Splunk.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

Sqig
Path Finder
‎10-02-2012 10:43 AM

If I could remove a question I have posted, I would in this case. This was user error on my part and not anything to do with Splunk.

0 Karma
Reply
Solved! Jump to solution

sowings
Splunk Employee
Splunk Employee
‎10-02-2012 10:15 AM

If Splunk is indexing in UTC, then your server is likely set to use UTC. See this link for help on how Splunk sets time zones:

http://docs.splunk.com/Documentation/Splunk/4.3.4/Data/ApplyTimezoneOffsetsToTimeStamps

0 Karma
Reply
Solved! Jump to solution

jcaffero
Explorer
‎10-02-2012 10:13 AM

I was having a similar issue, running in Central time. I created a props.conf file within the C:\Program Files\Splunk\etc\system\local filepath with just the value TZ = UTC-6, Eastern would likely be UTC-5 and my timestamps are displaying correctly. Unfortunately I don't see my props.conf file in that directory anymore but the timestamps are still working correctly.

JC

0 Karma
Reply
Solved! Jump to solution

kristian_kolb
Ultra Champion
‎09-28-2012 01:19 PM

A bit unclear about the setup - is it UF -> HF -> Indexer?

TZ settings should go to where the parsing phase takes place - in the above scenario, that would be the HF (As can be seen here).

Have you tried either EST or -04:00 instead of US/Eastern?

/Kristian

Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...