All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to set up time zone for data coming from Splunk DB Connect irrespective of user account's time zone?

uhkc777
Explorer
‎12-16-2016 11:49 AM

Hi,
I'm ingesting data from database which are in CST time zone. My account is set to EST. But I'm seeing 5 hours time gap between _time and actual timestamp of event.

If i set my account to UTC, then both the time stamps are matching. Can I know the logic behind that?

I'm working with different number of users in different time zones. If _time is changing based on account time zone, my search queries doesn't work in unique manner for all users.

if I changed the time zone for that DB Source in etc/apps/default/props.conf TZ=US/CST. If i set my account to CST then _time and my actual time stamp of event are matching but what about the users who are in different time zones?.

Help me what to do in this scenario.

Thanks,

0 Karma
Reply

maraman_splunk
Splunk Employee
Splunk Employee
‎12-16-2016 01:55 PM

By default, dbconnect will think time is in UTC
but dbconnect maps your data to a sourcetype, let's say you asked it to use mysourcetypedb1
then on the server where dbconnect is installed (if you are in distributed config) , you can add in etc/system/local/props.conf (don't modify default files , they are shipped/owned by product or app owner)
[mysourcetypedb1]
TZ=US/CST

(the props could also be move in a custom TA)
Then Splunk knows it is reading a time with timezone US/CST and convert it internally in UTC (there's no user connected at this step, it's when the data getting indexed)

When you login and search for your data , Splunk will show you the time in your local time zone , whatever your set it.
So the local time you see is always correct (it if says 1PM in your local timezone, then yes it was really that time in your timezone when the event occured but another user in it's timezone would see another local time which is still correct.

Hope that's help understand why time can be automagically correct for multiple users at the same time ...

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...