Deployment Architecture

Time zone difference between Splunk Server and Events.

biec1
Explorer

Our Splunk server is in UTC time zone,but the Events time zone is in CET.

Current Splunk Server Time:-
Fri Jan 27 12:20:25 UTC 2017
Latest Event Time:-
Fri Jan 27 13:19:35 CET 2017

When i make a search for last 15 minutes,i get the events from 12:05 to 12:20.
But i am expecting the results as per the time stamp of events.
I have changed the Time Zone in source type to UTC. Still i do not see any change.

Tags (1)
0 Karma

woodcock
Esteemed Legend

There are 2 timezone considerations: what is the TZ of the timestamper of your events and what is the TZ of the searcher of the events. You changed the former, which was almost certainly the wrong thing. The splunk indexer needs to know what TZ to use to interpret the timestamps in the sourcetype for each event; this typically is dependent on the host OS on the forwarder. That is the setting that you changed. You need to make sure that this is correct for each event (sourcetype/host combination). Once this is done, you need to change YOUR TZ setting with Your Login -> Account settings -> Time zone to be that of your personal/local/preferred value. The last thing to do is to click the Raw/List/Table setting on your Events tab to List (it should already be this way). This will create a field in all search results that shows YOUR PERSONAL timezone adjusted value for _time in the Time column.

0 Karma

somesoni2
Revered Legend

The time range picker works on the time zone set on the user's profile, which is default to Splunk System timezone. So, by default your time-range picker should be working on UTC timezone, expected. If you've configured the timestamp recognition for your sourcetype correctly (including recognition of the timezone from the raw event, then it should be translating _time value to UTC accordingly and you should see results correctly. Other option would be the change your user profile to update the timezone to CET and then all time range picker operations would be based on CET.

FYI, change the timezone in sourcetype to UTC may be causing the timestamp to be treated as UTC and hence it's showing with future timestamp.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Search windows are relative to Splunk's time. "-15m" returns events with a timestamp between now and 15 minutes ago rather than the most recent 15 minutes of events.
Changing the time zone in the sourcetype will not change events that have already been indexed.

---
If this reply helps you, Karma would be appreciated.
0 Karma

biec1
Explorer

Thank you.
But even after three hours of changing the TZ in source type, i don't see any difference in the events time stamp.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...