Splunk Dev
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

how do I get Splunk's timezone settings via Python?

awurster
Contributor
‎07-14-2015 04:44 PM

i want to log activity of what a script is doing into an index.

i'm creating current time with a datetime object in python:

now = datetime.datetime.now()
now.strftime("%Y-%m-%d %H:%M:%S %Z")

now i do know strftime has limited support for timezones... but without a timezone the log message might not get parsed correctly AFAIK, and is probably not a Good Thing to leave it off.

how can i access what Splunk thinks the host server's timezone is (independent of individual user settings, etc)? whether it's REST endpoint in Splunk, an SDK variable / function, or some native Python function doesn't matter to me.

0 Karma
Reply

woodcock
Esteemed Legend
‎07-14-2015 08:15 PM

If you have done the right thing and configured a TZ= value in your props.conf for every source (except for some scripted inputs from TA apps), then you can check the date_zone field to see what Splunk thinks is the TZ for each event. If you see local then this means that the TZ of the indexer (or heavy forwarder) was used (which is usually bad/wrong). You are mistaken to think that Splunk "has a TZ" because it doesn't; all Splunk times are stored in GMT-based epoch (TZ=0) so you should never need to do any TZ manipulation if you are dealing with the _time field.

0 Karma
Reply

awurster
Contributor
‎07-14-2015 08:47 PM

thanks but i'm mostly just looking for a pythonic way to access the local system's timezone.

i'm writing logs to ~/var/log/splunk/foo.log which lands in the server's _internal index. it might be redundant to log a TZ, but i still am curious what the answer is.

i should also clarify that i'd like to do it natively as much as possible, without requiring a 3rd party lib like pytz to be bundled with my add-on.

0 Karma
Reply
Get Updates on the Splunk Community!

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...
Top