Solved: Re: How to configure Splunk so I can accurately an...

brutecat · ‎06-04-2015

Hi there,

I have an issue with time zones where my analysis system (Splunk Free) is in the Australian Eastern time zone and I am trying to analyze data which was captured in the Central European time zone. I checked the data imported and I have the right times on the data once I tell Splunk it originates in Europe. I see my times in the data.

What I am doing is averaging the data over 24 hours. So when I say '15-May', I would like this to be 15 May in Europe, not Australia. I can't seem to figure out what I need to configure in Splunk to 'fool' it that I am analyzing in Europe. Do I need to change locale on my system?

Thanks,

Stan

woodcock · ‎06-04-2015

Splunk presents times you, the user, as you tell it to through your users settings. Go to "Your User Name" -> Edit Account -> Time Zone and set this to the appropriate value and Splunk will automatically normalize both the timepicker and all the results as they are presented to you.

View solution in original post

brutecat · ‎06-04-2015

acharlieh, I can't do this on Splunk Free. I should point this out to Splunk as a deficiency. Thanks anyway.

woodcock · ‎06-04-2015

Splunk presents times you, the user, as you tell it to through your users settings. Go to "Your User Name" -> Edit Account -> Time Zone and set this to the appropriate value and Splunk will automatically normalize both the timepicker and all the results as they are presented to you.

brutecat · ‎06-08-2015

Hi Woodcock,

Thanks for that. I tried it but it seems to make no difference. I need to set my system locale to the the target Central European Time. Perhaps this is a hidden limitation in the free version(?)

woodcock · ‎06-08-2015

Only Splunk can say for sure; I am sorry that I cannot help you more.

brutecat · ‎06-04-2015

I actually found the admin user (which is the only user in Splunk Free) configuration file:

user-prefs.conf

which looks like:

[general]
appOrder = search
default_namespace = launcher
display.page.home.dashboardId = /servicesNS/nobody/simple_xml_examples/data/ui/views/linear_fits
showWhatsNew = 1
eai_app_only = False
eai_results_per_page = 25

Perhaps I could make an entry there? Would someone make a temporary time zone change for a user and tell me what the key might be. The location of the file is:

C:\Program Files\Splunk\etc\users\admin\user-prefs\local

Thanks,

Stan

woodcock · ‎06-08-2015

This is what I found in mind:

[general]
eai_app_only = False
eai_results_per_page = 25
tz = America/Los_Angeles
restart_background_jobs = 1

brutecat · ‎06-04-2015

Thanks for that. I am using Splunk Free and it does not have the ability to do that. I adjust the system locale to be in Europe and it seems to be better aligned.

Thanks for the pointer.

acharlieh · ‎06-04-2015

One thought, maybe adjusting timezone for your user through the User Menu would help get you what you need?

How to configure Splunk so I can accurately analyze data captured in the Central European timezone?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?