https://community.splunk.com/t5/Getting-Data-In/COnfused-about-TimeZones/m-p/52219#M10030 <P>Hi folks, I've searched for an answer to this but haven't found anything that matches what I'm experiencing. For clarity, I am in Jamaica. We are in the EST time zone (GMT-5) but we do not observe daylight savings.</P> <P>I started indexing device syslog messages forwarded from my Network Monitoring System via UDP:514. My NMS is on a windows server set to local time (GMT-5). </P> <P>If an event occurs at 12:01pm Jamaica time (GMT-5), when I search for it in Splunk, that event has a _time of 7:01am (GMT-10). If I look at the syslog event viewer in my NMS, it shows the correct local time of 12:01pm (GMT-5).</P> <P>Based on my research here, I learned that Splunk uses the time and zone of the server it is on if a timezone isn't specified in props.conf.</P> <P>I checked the time on the server with the hwclock command at 2:08pm local time (GMT-5). The result: Fri 30 Aug 2013 08:54:43 AM EST</P> <P>This got me confused. The hardware clock is set 5 hours in the past (Which is actually GMT-10) but has the timezone set to EST (GMT-5). How does that affect the way Splunk indexes events? </P> <P>I'm guessing that I should do one of the following:<BR /> 1. Change the hwclock on the Splunk server to the correct local time (GMT-5) and keep the timezone as EST.<BR /> 2. Change the hwclock to the correct GMT time (GMT-0) and set the timezone to GMT.</P> <P>What is considered the best practice for Splunk? Is it best to set the hardware clock to GMT or local time? How will this affect previously indexed items? </P> Fri, 30 Aug 2013 19:45:04 GMT ocallender 2013-08-30T19:45:04Z https://community.splunk.com/t5/Getting-Data-In/COnfused-about-TimeZones/m-p/52219#M10030 <P>Hi folks, I've searched for an answer to this but haven't found anything that matches what I'm experiencing. For clarity, I am in Jamaica. We are in the EST time zone (GMT-5) but we do not observe daylight savings.</P> <P>I started indexing device syslog messages forwarded from my Network Monitoring System via UDP:514. My NMS is on a windows server set to local time (GMT-5). </P> <P>If an event occurs at 12:01pm Jamaica time (GMT-5), when I search for it in Splunk, that event has a _time of 7:01am (GMT-10). If I look at the syslog event viewer in my NMS, it shows the correct local time of 12:01pm (GMT-5).</P> <P>Based on my research here, I learned that Splunk uses the time and zone of the server it is on if a timezone isn't specified in props.conf.</P> <P>I checked the time on the server with the hwclock command at 2:08pm local time (GMT-5). The result: Fri 30 Aug 2013 08:54:43 AM EST</P> <P>This got me confused. The hardware clock is set 5 hours in the past (Which is actually GMT-10) but has the timezone set to EST (GMT-5). How does that affect the way Splunk indexes events? </P> <P>I'm guessing that I should do one of the following:<BR /> 1. Change the hwclock on the Splunk server to the correct local time (GMT-5) and keep the timezone as EST.<BR /> 2. Change the hwclock to the correct GMT time (GMT-0) and set the timezone to GMT.</P> <P>What is considered the best practice for Splunk? Is it best to set the hardware clock to GMT or local time? How will this affect previously indexed items? </P> Fri, 30 Aug 2013 19:45:04 GMT https://community.splunk.com/t5/Getting-Data-In/COnfused-about-TimeZones/m-p/52219#M10030 ocallender 2013-08-30T19:45:04Z https://community.splunk.com/t5/Getting-Data-In/COnfused-about-TimeZones/m-p/52220#M10031 <P>Update:<BR /> I set my hardware AND system clock to local time with EST timezone. Since then, the syslog events show the correct time stamps. However, previously indexed events didn't change, so I have a 5 hour gap in my events. I can live with that, as long as they're correct going forward.</P> Fri, 30 Aug 2013 21:00:02 GMT https://community.splunk.com/t5/Getting-Data-In/COnfused-about-TimeZones/m-p/52220#M10031 ocallender 2013-08-30T21:00:02Z