Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Device specific timezone in splunk
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Device specific timezone in splunk
If i set Timezone specific to host names , how do splunk search for the results ,
say for eg :
I have a device in Sweden , i set the (props.conf) timezone for this device (TZ) to sweden time
another device is in Australia , i set the timezone to Australia time.
i have my Splunk deployment in UTC timezone, So when I do a custom time search , how the results are displayed ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am using SplunkJS Stack to do splunk queries using javascript.
Is there any way to define in splunkjs.config that the user is in a specific timezone (Taking by the browser?)?What happens if a swedish user logs in the app and in the next day logs in with the same user in the application staying locally in Seattle?
Best Regards
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Whatever zone an event is localised to (be that through express definition of the zone, inferred from the source's host time zone, or failing those from the indexer's timezone), it is indexed standardised to UTC. The time presented in a search is then localised to the searching user's timezone.
So for instance, an event logged in Sweden, when displayed localised to a London user will be time-stamped an hour earlier, or for a Bombay user 4h30 hours later in winter, or 3h30 in summer (because India doesn't do daylight savings). In other words it will be presented within the user's own frame of reference, and the time of the event will be that as they would have experienced it themselves.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
_time is Device time
_indextime is the time the event is indexed in Splunk
So , splunk always searches for the results in local timezone (in my case UTC) but i can see the events containing timestamps specific to their origin , i.e naative time ?
Am i right with this understanding ??
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If splunk search happens based on the _indextime , whats the benefit I will be getting by setting device specific TZ
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
