Getting Data In

Can you help me get data from different time zones into CST time?

snigdhasaxena
Communicator

I have Splunk forwarders using time zone CST while the servers from where forwarders are picking up the data are in EST and GMT time zones.

What should be done to get all the data in CST time zone as used by the Splunk forwarder?

0 Karma
1 Solution

damann
Communicator

When all your forwarded data provide a valid timestamp with additional information of the timezone everything is fine. Splunk recognizes the timezone automatically for you and will adjust the timestamp while indexing.

Another way to make sure your events get indexed properly you should take a look in the props.conf:
https://docs.splunk.com/Documentation/Splunk/latest/Data/Applytimezoneoffsetstotimestamps

There you can specify the correct TZ for a set of servers by using stanzas as you can see in the examples.

View solution in original post

0 Karma

damann
Communicator

When all your forwarded data provide a valid timestamp with additional information of the timezone everything is fine. Splunk recognizes the timezone automatically for you and will adjust the timestamp while indexing.

Another way to make sure your events get indexed properly you should take a look in the props.conf:
https://docs.splunk.com/Documentation/Splunk/latest/Data/Applytimezoneoffsetstotimestamps

There you can specify the correct TZ for a set of servers by using stanzas as you can see in the examples.

0 Karma

dkeck
Influencer

Hi,

I don´t get why you wan´t to change the TZ from EST to CST on the same source, but..

you can set this in props.conf for host or source

https://docs.splunk.com/Documentation/Splunk/latest/Data/Applytimezoneoffsetstotimestamps

valid TZ are listed here : https://en.wikipedia.org/wiki/List_of_tz_database_time_zones

Set this on your Indexer or Heavy Forwarder

Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...