I have an issue with time zones where my analysis system (Splunk Free) is in the Australian Eastern time zone and I am trying to analyze data which was captured in the Central European time zone. I checked the data imported and I have the right times on the data once I tell Splunk it originates in Europe. I see my times in the data.
What I am doing is averaging the data over 24 hours. So when I say '15-May', I would like this to be 15 May in Europe, not Australia. I can't seem to figure out what I need to configure in Splunk to 'fool' it that I am analyzing in Europe. Do I need to change locale on my system?
Splunk presents times you, the user, as you tell it to through your users settings. Go to
"Your User Name" ->
Edit Account ->
Time Zone and set this to the appropriate value and Splunk will automatically normalize both the
timepicker and all the results as they are presented to you.
Thanks for that. I am using Splunk Free and it does not have the ability to do that. I adjust the system locale to be in Europe and it seems to be better aligned.
Thanks for the pointer.
I actually found the admin user (which is the only user in Splunk Free) configuration file:
which looks like:
[general] appOrder = search default_namespace = launcher display.page.home.dashboardId = /servicesNS/nobody/simple_xml_examples/data/ui/views/linear_fits showWhatsNew = 1 eai_app_only = False eai_results_per_page = 25
Perhaps I could make an entry there? Would someone make a temporary time zone change for a user and tell me what the key might be. The location of the file is:
This is what I found in mind:
[general] eai_app_only = False eai_results_per_page = 25 tz = America/Los_Angeles restart_background_jobs = 1
Thanks for that. I tried it but it seems to make no difference. I need to set my system locale to the the target Central European Time. Perhaps this is a hidden limitation in the free version(?)
Only Splunk can say for sure; I am sorry that I cannot help you more.
acharlieh, I can't do this on Splunk Free. I should point this out to Splunk as a deficiency. Thanks anyway.