- Splunk Answers
- :
- Using Splunk
- :
- Splunk Dev
- :
- Setting timezone is not working (Version 6.5.0)
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Setting timezone is not working (Version 6.5.0)
Hi all,
I am trying to change the timeset of the forwarders however it it not working.
As indicated in the URL (http://docs.splunk.com/Documentation/Splunk/latest/Data/Applytimezoneoffsetstotimestamps), I have already included the below property in the files:
/opt/splunk/etc/system/local/props.conf
/opt/splunk/etc/apps/"APPS"/default/props.conf
[sourcetype name]
TZ = America/Sao_Paulo
And after reset the splunk, i am still seeing the "_time" in UTC.
I already tried this property using host and source.
What else I need to do to reflect the timezone?
Thanks and regards,
Danillo Pavan
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
i'm pretty sure the timezone is being converted to whatever you have set, as your timezone, on the search head you're looking up logs from.
try changing your time zone in user settings and see what happens
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, changing the user timezone configuration - changing from DEFAULT to the BR, i have the expected results, however it is not what I am finding. I want to have it is defined in the index server not directly in the user settings..
Executing the below query, I still have the "N/A" value for my sourcetypes:
index=sap |dedup host sourcetype | eval date_zone=coalesce(date_zone, "N/A") | eval lagSecs=_indextime-_time | table host sourcetype source date_zone lagSecs.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The Splunk will convert the time into time zone of the indexer. i.e If indexer is running in PST and your forwarder is in UTC, Splunk will convert UTC time to equivalent PST time. With TZ configuration, you will inform Splunk Indexer the time zone of the event. This setting should be on Indexer in case you are using universal forwarder.
From your problem statement it seems that your indexer server is in "UTC" timezone, which is the reason why you are seeing events UTC timezone.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, I have already included the TZ properties however didn´t reflect in the indexer server timezone.
If I execute the below query, I still have my sourcetypes with "N/A" value:
index=sap |dedup host sourcetype | eval date_zone=coalesce(date_zone, "N/A") | eval lagSecs=_indextime-_time | table host sourcetype source date_zone lagSecs.
Not sure how reflect the timezone in the indexer server.
Welcome to the Splunk Community!
Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM
Adoption of RUM and APM at Splunk
