Solved: Re: Multiple Timezones, search worldwide

carlj · ‎07-05-2012

I have Universal forwarders that forwards data from the following timezones:
GMT±0
GMT+2
GMT+4
The indexer server is running in GMT±0.

I have a couple of dashboards for operational purposes which shows the current state of each operation (@day -now).
My issue is that data forwarded on 13:00 from the GMT+4 operation is not displayed until 13:00 GMT time.

How do I setup time zones so that the latest indexed data is presented in my dashboards?

Drainy · ‎07-05-2012

What isn't clear in your question is if you are applying any timezones to your inputs.
Have a look at the timezone section here;

http://docs.splunk.com/Documentation/Splunk/latest/admin/propsconf

The important thing is that the correct timezone is applied against your data, Splunk will then display the time as per the user timezone selected within the account options screen. This means that everything will be displayed correctly and you avoid having events occurring in the future.

Me personally, set everything to UTC on the server/syslog-side and set timezones on a per user basis.

View solution in original post

Drainy · ‎07-05-2012

What isn't clear in your question is if you are applying any timezones to your inputs.
Have a look at the timezone section here;

http://docs.splunk.com/Documentation/Splunk/latest/admin/propsconf

The important thing is that the correct timezone is applied against your data, Splunk will then display the time as per the user timezone selected within the account options screen. This means that everything will be displayed correctly and you avoid having events occurring in the future.

Me personally, set everything to UTC on the server/syslog-side and set timezones on a per user basis.

Drainy · ‎07-05-2012

Sorry, I wasn't particularly clear. There is an order that Splunk will extract certain bits of data and index them and you need to ensure that you apply your transforms in order to match them. Most of the time when you apply the sourcetype extraction it will complete its extractions and commit the data but its all down to how you assign the different metadata and in what order. Trial and error is sometimes the best tactic 🙂 Glad its all working!

carlj · ‎07-05-2012

Restarted my Splunk installation and now everything worked as intended!
For future referens, you are able to set TZ by host in props.conf
Thanks Drainy!

carlj · ‎07-05-2012

So setting TZ to the host wont work? The problem is that I have the same sourcetypes for all the operations (Timezones). The only differens is the host.

Drainy · ‎07-05-2012

ah, well the timezone is index time if I recall so your previous data won't be correct. Also it depends where you apply the TZ. If you set a sourcetype in the inputs.conf then reference the sourcetype in your props. e.g. [mysourcetype] TZ= etc etc. Also Splunk will understand things like UTC-2, CEST, CST if you wanted to use those instead.

carlj · ‎07-05-2012

I have set the timezones per host in props.conf on the indexer but cant see any differens in how they are displayed, ex:

[host::XXXYYY]
TZ = Europe/Helsinki

I tried changing the user timezones but Splunk seems to only change the time on the X-axel of my dashboard grafs but still displaying the same events.

Multiple Timezones, search worldwide

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Index This | What travels the world but is also stuck in place?

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

Join the Conversation