UTC timezone missing?

David_Hodgson · ‎09-01-2016

For clarity, the support staff work in UTC when looking at logs. The Splunk indexers are all running with /etc/localtime => UTC

The new versions seem to be ignoring the server timezone and using GMT instead.

I cannot see an option in the user administration timezone dropdown for UTC, or is this the wrong way to set the UI timezone?

p.s. this seems to be new behaviour. Has someone "corrected" the UI timezone handling?

muebel · ‎09-01-2016

Hi David, The timezone database used by Splunk is usually taken from the OS it's running on, as described here : http://docs.splunk.com/Documentation/Splunk/6.4.3/Data/Applytimezoneoffsetstotimestamps

GMT should usually be the same as UTC, unless you are dealing with British Summer Time. For my instance of Splunk I am finding a GMT timezone option for my user, and also a GMT : London. I'm presuming the simple "GMT" designation is UTC.

Please let me know if this helps!

David_Hodgson · ‎09-01-2016

Unfortunately GMT is described as one of London, Dublin etc. That implies it's using summer time (BST), which for my case is wrong.

There seems to be no way, using the UI, to set a user to have unaltered times reported.

I've edited the user's user-props.conf to have tz = UTC, but it's a defect that this isn't available through the UI, and that setting the user to "Default System Timezone" isn't working.

UTC timezone missing?

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...