Splunk Search

Cisco Network App and Search & Reporting App Time Difference

splunkot
New Member

With no TZ configured, my Search & Reporting App is displaying the correct time (UTC-10:00 or 13:00 HST) but, my Cisco Networks App is displaying a time 10 hours ahead (23:00 HST) of our local time.

When I edit the props.conf in the TA-cisco_ios folder, I enter "TZ = UTC" under the syslog stanza, now the display time is correct (13:00 HST) for the Cisco Network App, but now the Search & Reporting App is displaying a time 10 hours behind (03:00 HST) our local time.

I tried editing both props.conf in the TA-cisco_ios and search App folders with no success.

All of my event logs' time are correct, so how do I get both Cisco Network and Search & Reporting App to display the correct time?

0 Karma

woodcock
Esteemed Legend

You need to go to <Your Login Here> -> Preferences -> Time zone and set it to your preferred value so that Splunk knows how to translates times to suit your location.

0 Karma

splunkot
New Member

I am not sure why but, the problem corrected itself after deploying:

Splunk App for Windows Infrastructure
Splunk Add-on for Microsoft Windows
Splunk Supporting Add-on for Microsoft Windows Active Directory

Now my Cisco Networks Overview and Search and Reporting display time are both UTC-10.

0 Karma

splunkot
New Member

To confirm, I removed Splunk App for Windows Infrastructure, Splunk Add-on for Microsoft Winows, and Splunk Supporting Add-on for Microsoft Windows Active Directory and the display time for the Cisco Networks Overview and Search and Reporting are still UTC-10.

The display time issue may have been resolved from the recent Splunk 7.2.4.2 update.

0 Karma

lakshman239
SplunkTrust
SplunkTrust

I assume your search head, indexers are configured with your local time or UTC. What's the time zone configuration in the Cisco IOS devices? If they are in a different timezone, the app/add-on would convert/parse them correctly and send data to your indexer to index in correct timezone. Pls check the props.conf to see if they are matching the TZ of the IOS devices.

0 Karma

splunkot
New Member

I have "clock timezone HST -10" configured on my Cisco IOS devices. My Splunk instance is configured with my local time. I searched all apps\system local props.conf for "TZ" and the only TZ configured is for the TA-cisco_ios app.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...