Getting Data In
Highlighted

How to configure Splunk so I can accurately analyze data captured in the Central European timezone?

Path Finder

Hi there,

I have an issue with time zones where my analysis system (Splunk Free) is in the Australian Eastern time zone and I am trying to analyze data which was captured in the Central European time zone. I checked the data imported and I have the right times on the data once I tell Splunk it originates in Europe. I see my times in the data.

What I am doing is averaging the data over 24 hours. So when I say '15-May', I would like this to be 15 May in Europe, not Australia. I can't seem to figure out what I need to configure in Splunk to 'fool' it that I am analyzing in Europe. Do I need to change locale on my system?

Thanks,

Stan

Tags (2)
0 Karma
Highlighted

Re: How to configure Splunk so I can accurately analyze data captured in the Central European timezone?

Influencer

One thought, maybe adjusting timezone for your user through the User Menu would help get you what you need?

0 Karma
Highlighted

Re: How to configure Splunk so I can accurately analyze data captured in the Central European timezone?

Esteemed Legend

Splunk presents times you, the user, as you tell it to through your users settings. Go to "Your User Name" -> Edit Account -> Time Zone and set this to the appropriate value and Splunk will automatically normalize both the timepicker and all the results as they are presented to you.

View solution in original post

0 Karma
Highlighted

Re: How to configure Splunk so I can accurately analyze data captured in the Central European timezone?

Path Finder

Thanks for that. I am using Splunk Free and it does not have the ability to do that. I adjust the system locale to be in Europe and it seems to be better aligned.

Thanks for the pointer.

0 Karma
Highlighted

Re: How to configure Splunk so I can accurately analyze data captured in the Central European timezone?

Path Finder

I actually found the admin user (which is the only user in Splunk Free) configuration file:

user-prefs.conf

which looks like:

[general]
appOrder = search
default_namespace = launcher
display.page.home.dashboardId = /servicesNS/nobody/simple_xml_examples/data/ui/views/linear_fits
showWhatsNew = 1
eai_app_only = False
eai_results_per_page = 25

Perhaps I could make an entry there? Would someone make a temporary time zone change for a user and tell me what the key might be. The location of the file is:

C:\Program Files\Splunk\etc\users\admin\user-prefs\local

Thanks,

Stan

0 Karma
Highlighted

Re: How to configure Splunk so I can accurately analyze data captured in the Central European timezone?

Esteemed Legend

This is what I found in mind:

[general]
eai_app_only = False
eai_results_per_page = 25
tz = America/Los_Angeles
restart_background_jobs = 1
0 Karma
Highlighted

Re: How to configure Splunk so I can accurately analyze data captured in the Central European timezone?

Path Finder

Hi Woodcock,

Thanks for that. I tried it but it seems to make no difference. I need to set my system locale to the the target Central European Time. Perhaps this is a hidden limitation in the free version(?)

0 Karma
Highlighted

Re: How to configure Splunk so I can accurately analyze data captured in the Central European timezone?

Esteemed Legend

Only Splunk can say for sure; I am sorry that I cannot help you more.

0 Karma
Highlighted

Re: How to configure Splunk so I can accurately analyze data captured in the Central European timezone?

Path Finder

acharlieh, I can't do this on Splunk Free. I should point this out to Splunk as a deficiency. Thanks anyway.

0 Karma