Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How and where does splunk determine host time zone ?

yoho
Contributor
‎06-03-2013 06:52 AM

My indexers and searchheads in my central datacentre are configured in UTC timestamp but I have universal/light forwarders around the world in many different time zones.

I know the hosts my forwarders are installed on have correct time zone settings. So I'd like to use the host timezone (point number 3 in this document) rather than override it but I can't get it right.

Hence my 2 questions :
* How does splunk determine the splunk server time zone (if running on linux)?
* Where is the time zone evaluated : in my case, if it's at the indexer level, it won't help...

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

lguinn2
Legend
‎06-03-2013 09:25 AM

Here are the rules: How Splunk applies timezones - I think this is exactly the page that you are referencing.

If you want to override the default processing, you must set the TZ attribute on the machine that is doing the parsing. that would mean that - on each indexer - you would need an entry in props.conf for each forwarder:

[host::forwarderhostname1]
TZ = forwardertimezone1

There is no alternative. This is a perfect enhancement request! Do it here: Submit Case

My request would be "I want to be able to set something like this in props.conf:

[host::*]

TZ = use_host_tz

So that the indexer would use the forwarder's server timezone setting"

But that's just what I asked for...

UPDATE: Splunk 6 - *WISH GRANTED!*

Specify time zones of time stamps

Note item # 3 - "If an event that arrives at an indexer originated at a forwarder, and both the forwarder and the receiving indexer run Splunk Enterprise 6.0 or later, then Splunk uses the time zone that the forwarder provides."

View solution in original post

Reply
Solved! Jump to solution
Solution

lguinn2
Legend
‎06-03-2013 09:25 AM

Here are the rules: How Splunk applies timezones - I think this is exactly the page that you are referencing.

If you want to override the default processing, you must set the TZ attribute on the machine that is doing the parsing. that would mean that - on each indexer - you would need an entry in props.conf for each forwarder:

[host::forwarderhostname1]
TZ = forwardertimezone1

There is no alternative. This is a perfect enhancement request! Do it here: Submit Case

My request would be "I want to be able to set something like this in props.conf:

[host::*]

TZ = use_host_tz

So that the indexer would use the forwarder's server timezone setting"

But that's just what I asked for...

UPDATE: Splunk 6 - *WISH GRANTED!*

Specify time zones of time stamps

Note item # 3 - "If an event that arrives at an indexer originated at a forwarder, and both the forwarder and the receiving indexer run Splunk Enterprise 6.0 or later, then Splunk uses the time zone that the forwarder provides."

Reply
Solved! Jump to solution

yoho
Contributor
‎01-28-2014 01:20 AM

Thanks ! Indeed Splunk 6 update should fix this problem.

0 Karma
Reply
Solved! Jump to solution

yoho
Contributor
‎06-03-2013 09:58 AM

Well, this would be a workaround but what I need is to have splunk rely on the universal forwarders servers timezone - it's already correctly set so I wouldn't like to force it to some specific timezone (and in addition it's different for each forwarder). It's a pitty you can't set timezone at input time.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...

SplunkTrust Application Period is Officially OPEN!

It's that time, folks! The application/nomination period for the 2026-2027 SplunkTrust is officially open. If ...