In our case timestamps within the splunk events are standard GMT
where people working from different timezones, the event time itself and the timestamps within the events differ. Is there a best practise to get those timestamps equal no matter where somebody is working in the world ?
Of course you can set user settings to the standard GMT for having those time equal but we want to have this translated to every timezone a user is in.
You have to tell Splunk how to convert the timestamp strings inside of each event to GMT, using TZ settings in props.conf and then each user should set his own personal value in <My User Name> -> Account settings -> Time zone. Then each user's personal timezone settings will be used for yesterday, etc.
Good choice to have the timestamps in GMT. Splunk defaults to that for the event _time, but if you have all your servers set to that as well, you simplify your life immensely.
Honestly, this is a user education issue. If you attempt to mask the real data as if it was always in local time (no matter where it happened, or where it was being viewed) then you are just adding a massive technical problem, confusing everyone on what the actual form of the event is, and simultaneously multiplying your training problems.