Solved: timezone and Checkpoint logs

nov1ce · ‎06-12-2013

Hello,

I'm using latest Splunk to collect event logs from a number of W2K8 servers as well as Checkpoint. Everything is working just fine except that if I search logs from Checkpoint in Splunk they appear to be two hours ahead (the time is correct, just two hours ahead). I double-checked system clock on the CP Management gateway and Splunk server - it's correct and synced. No issues with logs coming from Windows servers.

Seems like a timezone settings somewhere in Splunk but I can't find it.

PS: Setting timezone for a user didn't help.

Any hints would be greatly appreciated!

Thanks.

tgow · ‎06-12-2013

The timezone (TZ) can be set in the props.conf file based on either host, source or sourcetype. Here is a quick example:

[host::nyc*]
TZ = US/Eastern

Here is a link to more information:

http://docs.splunk.com/Documentation/Splunk/latest/Data/ApplyTimezoneOffsetsToTimeStamps

View solution in original post

tgow · ‎06-12-2013

The timezone (TZ) can be set in the props.conf file based on either host, source or sourcetype. Here is a quick example:

[host::nyc*]
TZ = US/Eastern

Here is a link to more information:

http://docs.splunk.com/Documentation/Splunk/latest/Data/ApplyTimezoneOffsetsToTimeStamps

nov1ce · ‎06-12-2013

Thank you!

timezone and Checkpoint logs

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases