Timezones differ for User's position and internal ...

amantjes · ‎06-15-2017

Hi all,
In our case timestamps within the splunk events are standard GMT

where people working from different timezones, the event time itself and the timestamps within the events differ. Is there a best practise to get those timestamps equal no matter where somebody is working in the world ?
Of course you can set user settings to the standard GMT for having those time equal but we want to have this translated to every timezone a user is in.

woodcock · ‎06-15-2017

You have to tell Splunk how to convert the timestamp strings inside of each event to GMT, using TZ settings in props.conf and then each user should set his own personal value in <My User Name> -> Account settings -> Time zone. Then each user's personal timezone settings will be used for yesterday, etc.

DalJeanis · ‎06-15-2017

Good choice to have the timestamps in GMT. Splunk defaults to that for the event _time, but if you have all your servers set to that as well, you simplify your life immensely.

Honestly, this is a user education issue. If you attempt to mask the real data as if it was always in local time (no matter where it happened, or where it was being viewed) then you are just adding a massive technical problem, confusing everyone on what the actual form of the event is, and simultaneously multiplying your training problems.

Timezones differ for User's position and internal events timestamps

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

Splunk APM: New Product Features + Community Office Hours Recap!

Index This | Forward, I’m heavy; backward, I’m not. What am I?