Getting Data In

Does Splunk take into consideration Timezone Daylight Saving ?

DavidHourani
Super Champion

Hello Splunkies and Splunklemen ,

Does Splunk Automatically take into consideration Daylight Savings Time (DST) ? Or should this parameter be defined somewhere ?

If so can anyone tell me how its done via props.conf ?

Thanks !

Tags (1)
0 Karma
1 Solution

woodcock
Esteemed Legend

IMHO, unless each event specifies TZ inside the event timestamp, you should always set TZ by host in props.conf like this:

# Tuscon
[host::My\.Host\.IP\.Here]
TZ = US/Mountain

View solution in original post

woodcock
Esteemed Legend

IMHO, unless each event specifies TZ inside the event timestamp, you should always set TZ by host in props.conf like this:

# Tuscon
[host::My\.Host\.IP\.Here]
TZ = US/Mountain

darlas
Communicator

I think I spoke too soon! Looks like _time is now reflecting daylight savings time. Thanks so much!

darlas
Communicator

In my situation, I have defined TZ=PST in my props.conf file for the particular event source. My Splunk servers are all in UTC. This worked fine until recently when we moved the clocks up an hour for daylight savings time. So now it seems my TZ should = PDT, but there is not such a value. Also this means I would have to change this 2x/year when we change the clocks..and in each props.conf file. Am I missing something here? How do I handle this situation?

Thanks!!!

woodcock
Esteemed Legend

The "US/" notation implies DST, which is one of the reasons I used it in my answer. You need "US/Pacific" to handle DST changes.

0 Karma

darlas
Communicator

Thanks for the quick reply! I changed my props.conf but does not seem to be changing the behavior. I've given it about 30 minutes just in case it took time to affect the events. I'll have to keep digging.

0 Karma

DavidHourani
Super Champion

Cool! Thank you. This goes on the indexer right ? Would it modify _time for all the logs or only the recently added ones ?

0 Karma

woodcock
Esteemed Legend

Only new ones that come in after the indexer has Splunk restarted. You can track which events have updated TZs and which do not by looking at the date_zone field. Don't forget to "Accept" my answer!

0 Karma

DavidHourani
Super Champion

Thanks mate!

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...