Deployment Architecture

Servers are sending data in GMT time zone but splunk instances are on EST time zone

pasokkum
Path Finder

Hi,
The servers from which we are getting data is in GMT timezone. But splunk instances are on EST timezone. We are getting the timestamp from the log files itself. In search head under user-prefs.conf we made the setting tz = GMT.. Hence all time ranges in the server adds 4 hrs to iself, which includes log files also i.e. the timestamp in the log files also showing timestamp + 4 hrs in search tab under List..

We want only the time range picker in the UI to be in GMT..

0 Karma

woodcock
Esteemed Legend

If I understand you correctly, you are timestamping the events correctly. In that case, every user has his own individual TZ setting that is configurable in Your User Name -> Edit account -> Time zone. This will change the way that any time is presented to you when you login EXCEPT for the time value characters inside the raw data; these are immutable and will remain what they were when indexed.

pasokkum
Path Finder

the timestamp in the raw data is not changed.. but the time in Search head is different from the time shown in indexer.. Search head is adding 4 hrs to that time also.. alt text

0 Karma

woodcock
Esteemed Legend

The thing that you have highlighted in red is DIRECTLY controlled by the user's Time zone setting (exactly what I described in my answer), which also controls the meaning of the values in the Timepicker (e.g. when exactly is "yesterday"). You NEED to be able to control this user-by-user. If you would like to see GMT for you, then change your setting to GMT.

0 Karma
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...