topic Re: Timezone issue with Splunk on Windows in Getting Data In

Timezone issue with Splunk on Windows

let_eat_bee — Thu, 12 Apr 2012 07:53:21 GMT

I've stucked on a couple of issues on Splunk since there was changes in timezone shift in my country.

The main problem that the Splunk treats event data(all these syslog messages are sent in local time) normally and puts correct timestamp in front of them. BUT it shows incorrect time range when I choose option to search in some time range, not "all time", for example "last 15 minutes" or similar in real-time search:

for example, local time is

10:38:02

but when I choose to search for last 15 minutes it shows me no event data and writes this on the top:

1 result in the last 15 minutes (from 09:23:00 to 09:38:02 on Thursday, April 12, 2012)
as you can see, time range there is incorrect with one hour diffirence.
the same time I've got when issued the search

* | stats count AS tnow | eval tnow = now() | convert ctime(tnow)

result is

04/12/2012 09:38:02

there is no TZ settings in my props.conf(C:\Program Files\Splunk\etc\system\local)

local time on windows server and timezone setting is correct.

I only guess that splunk's C:\Program Files\Splunk\share\splunk\zoneinfo.tzpack file(i guess it copy of zoneinfo) is inactual, Because recently Belarus had UTC+02 timezone and now UTC+03.

What is format of this file ? May I somehow view it's content?

Re: Timezone issue with Splunk on Windows

let_eat_bee — Thu, 19 Apr 2012 12:23:15 GMT

please anyone help me with the problem...

Re: Timezone issue with Splunk on Windows

kmattern — Thu, 19 Apr 2012 16:25:37 GMT

In your etc/system/local/props.conf add the following stanza

[host::$YOUR_SERVER_NAME$]
TZ=$YOUR_TIME_ZONE$

for example I have my server set to GMT. My stanza looks like this

[host::Win2k8-Splunk]
TZ=GMT

Re: Timezone issue with Splunk on Windows

araitz — Thu, 19 Apr 2012 18:19:16 GMT

Don't forget that in 4.3 you can specify a timezone value per user:

http://docs.splunk.com/Documentation/Splunk/4.3.1/Admin/Setupbuilt-inauthentication#Add_and_edit_users

Re: Timezone issue with Splunk on Windows

let_eat_bee — Fri, 20 Apr 2012 07:26:05 GMT

thank you for the answers. As I've already said, I tried to play with TZ in props.conf.
And it affect only on eventdata timestamps, not on that time, taken when "last 15 min" search is chosen(I've mark it in screenshot attatched)
http://imm.io/mCOF

Re: Timezone issue with Splunk on Windows

araitz — Fri, 20 Apr 2012 13:56:43 GMT

Did you see my comment above re: per-user time zones?

Re: Timezone issue with Splunk on Windows

let_eat_bee — Sun, 22 Apr 2012 14:26:28 GMT

yes, but I use free license with one user
and make changes in config in etc/system/local/props.conf as well which has priority over other configs(per app, per user I mean..)