Dashboards & Visualizations

Multiple Timezones, search worldwide

carlj
Explorer

I have Universal forwarders that forwards data from the following timezones:
GMT±0
GMT+2
GMT+4
The indexer server is running in GMT±0.

I have a couple of dashboards for operational purposes which shows the current state of each operation (@day -now).
My issue is that data forwarded on 13:00 from the GMT+4 operation is not displayed until 13:00 GMT time.

How do I setup time zones so that the latest indexed data is presented in my dashboards?

1 Solution

Drainy
Champion

What isn't clear in your question is if you are applying any timezones to your inputs.
Have a look at the timezone section here;

http://docs.splunk.com/Documentation/Splunk/latest/admin/propsconf

The important thing is that the correct timezone is applied against your data, Splunk will then display the time as per the user timezone selected within the account options screen. This means that everything will be displayed correctly and you avoid having events occurring in the future.

Me personally, set everything to UTC on the server/syslog-side and set timezones on a per user basis.

View solution in original post

Drainy
Champion

What isn't clear in your question is if you are applying any timezones to your inputs.
Have a look at the timezone section here;

http://docs.splunk.com/Documentation/Splunk/latest/admin/propsconf

The important thing is that the correct timezone is applied against your data, Splunk will then display the time as per the user timezone selected within the account options screen. This means that everything will be displayed correctly and you avoid having events occurring in the future.

Me personally, set everything to UTC on the server/syslog-side and set timezones on a per user basis.

View solution in original post

Drainy
Champion

Sorry, I wasn't particularly clear. There is an order that Splunk will extract certain bits of data and index them and you need to ensure that you apply your transforms in order to match them. Most of the time when you apply the sourcetype extraction it will complete its extractions and commit the data but its all down to how you assign the different metadata and in what order. Trial and error is sometimes the best tactic 🙂 Glad its all working!

carlj
Explorer

Restarted my Splunk installation and now everything worked as intended!
For future referens, you are able to set TZ by host in props.conf
Thanks Drainy!

0 Karma

carlj
Explorer

So setting TZ to the host wont work? The problem is that I have the same sourcetypes for all the operations (Timezones). The only differens is the host.

0 Karma

Drainy
Champion

ah, well the timezone is index time if I recall so your previous data won't be correct. Also it depends where you apply the TZ. If you set a sourcetype in the inputs.conf then reference the sourcetype in your props. e.g. [mysourcetype] TZ= etc etc. Also Splunk will understand things like UTC-2, CEST, CST if you wanted to use those instead.

0 Karma

carlj
Explorer

I have set the timezones per host in props.conf on the indexer but cant see any differens in how they are displayed, ex:

[host::XXXYYY]
TZ = Europe/Helsinki

I tried changing the user timezones but Splunk seems to only change the time on the X-axel of my dashboard grafs but still displaying the same events.

0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!