Getting Data In

How to configure Splunk so I can accurately analyze data captured in the Central European timezone?

brutecat
Path Finder

Hi there,

I have an issue with time zones where my analysis system (Splunk Free) is in the Australian Eastern time zone and I am trying to analyze data which was captured in the Central European time zone. I checked the data imported and I have the right times on the data once I tell Splunk it originates in Europe. I see my times in the data.

What I am doing is averaging the data over 24 hours. So when I say '15-May', I would like this to be 15 May in Europe, not Australia. I can't seem to figure out what I need to configure in Splunk to 'fool' it that I am analyzing in Europe. Do I need to change locale on my system?

Thanks,

Stan

Tags (2)
0 Karma
1 Solution

woodcock
Esteemed Legend

Splunk presents times you, the user, as you tell it to through your users settings. Go to "Your User Name" -> Edit Account -> Time Zone and set this to the appropriate value and Splunk will automatically normalize both the timepicker and all the results as they are presented to you.

View solution in original post

0 Karma

brutecat
Path Finder

acharlieh, I can't do this on Splunk Free. I should point this out to Splunk as a deficiency. Thanks anyway.

0 Karma

woodcock
Esteemed Legend

Splunk presents times you, the user, as you tell it to through your users settings. Go to "Your User Name" -> Edit Account -> Time Zone and set this to the appropriate value and Splunk will automatically normalize both the timepicker and all the results as they are presented to you.

0 Karma

brutecat
Path Finder

Hi Woodcock,

Thanks for that. I tried it but it seems to make no difference. I need to set my system locale to the the target Central European Time. Perhaps this is a hidden limitation in the free version(?)

0 Karma

woodcock
Esteemed Legend

Only Splunk can say for sure; I am sorry that I cannot help you more.

0 Karma

brutecat
Path Finder

I actually found the admin user (which is the only user in Splunk Free) configuration file:

user-prefs.conf

which looks like:

[general]
appOrder = search
default_namespace = launcher
display.page.home.dashboardId = /servicesNS/nobody/simple_xml_examples/data/ui/views/linear_fits
showWhatsNew = 1
eai_app_only = False
eai_results_per_page = 25

Perhaps I could make an entry there? Would someone make a temporary time zone change for a user and tell me what the key might be. The location of the file is:

C:\Program Files\Splunk\etc\users\admin\user-prefs\local

Thanks,

Stan

0 Karma

woodcock
Esteemed Legend

This is what I found in mind:

[general]
eai_app_only = False
eai_results_per_page = 25
tz = America/Los_Angeles
restart_background_jobs = 1
0 Karma

brutecat
Path Finder

Thanks for that. I am using Splunk Free and it does not have the ability to do that. I adjust the system locale to be in Europe and it seems to be better aligned.

Thanks for the pointer.

0 Karma

acharlieh
Influencer

One thought, maybe adjusting timezone for your user through the User Menu would help get you what you need?

0 Karma
Get Updates on the Splunk Community!

Routing Data to Different Splunk Indexes in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...

Getting Started with AIOps: Event Correlation Basics and Alert Storm Detection in ...

Getting Started with AIOps:Event Correlation Basics and Alert Storm Detection in Splunk IT Service ...

Register to Attend BSides SPL 2022 - It's all Happening October 18!

Join like-minded individuals for technical sessions on everything Splunk!  This is a community-led and run ...