Hi,
I'm creating a multisite Splunk deployment with timezone differences. Since most users do not change their timezone perf and it's set to default, it could change depending on which search head and indexer they pull from. Is there a configuration setting that would set the timezone for the entire Splunk environment? I would imagine I would need to set the indexers and the search heads to ensure the results are static, correct? Any recommendations on how I should approach this?
TIA,
Todd
There are two major locations for timezone:
1 - in the data ingestion process - the timezone is essential to making sure that the timestamp is accurate for every event
2 - in the user interface (at search time) - the user's timezone controls how the timestamp is displayed
Data ingestion: the Splunk Admin must make appropriate time and timezone settings on the forwarders and indexers, using props.conf
Search time: users can choose a timezone, or you can set one by default, using user-prefs.conf - must be done on the search head(s)
Although it is not explicitly documented, try this in etc/system/local/user-prefs.conf
[default]
# Only canonical timezone names such as America/Los_Angeles are allowed
tz = America/Los_Angeles
[general_default]
default_earliest_time = -24h@h
If this doesn't work, try setting the tz explicitly for each role (a bit more painful, but the documented way):
[role_power]
tz = America/Los_Angeles
lang = en-US
[role_user]
tz = GMT
There are two major locations for timezone:
1 - in the data ingestion process - the timezone is essential to making sure that the timestamp is accurate for every event
2 - in the user interface (at search time) - the user's timezone controls how the timestamp is displayed
Data ingestion: the Splunk Admin must make appropriate time and timezone settings on the forwarders and indexers, using props.conf
Search time: users can choose a timezone, or you can set one by default, using user-prefs.conf - must be done on the search head(s)
Although it is not explicitly documented, try this in etc/system/local/user-prefs.conf
[default]
# Only canonical timezone names such as America/Los_Angeles are allowed
tz = America/Los_Angeles
[general_default]
default_earliest_time = -24h@h
If this doesn't work, try setting the tz explicitly for each role (a bit more painful, but the documented way):
[role_power]
tz = America/Los_Angeles
lang = en-US
[role_user]
tz = GMT
Hi,
I need to change the tz for all the users and roles to Oslo Norway timezone.
(GMT+01:00)
But I cant find system folder under etc folder on our search head.
Instead we have below path:
/opt/splunk/etc/apps/user-prefs/local/user-prefs.conf
/opt/splunk/etc/apps/user-prefs/default/user-prefs.conf
I tried adding below stanzas in /opt/splunk/etc/apps/user-prefs/local/user-prefs.conf and restarted splunk, but its not working.
[default]
tz = Europe/Amsterdam
[general_default]
default_earliest_time = -24h@h
Kindly suggest where I am wrong
Regards,
Ravikiran Shikchi
If the file $SPLUNK_HOME/etc/system/local/user-prefs.conf
does not exist, then you must create it with the contents shown.
HI
Thanks for your help.
I have created this file however when i log in from DUBLIN with two users
Admin = Default Time Zone
Consultant = Paris Time Zone
I still get the issues that after i do an action in my GUI it acts differently to when i log in Via CITRIX from PARIS.
Can you do a "/opt/splunk/bin/splunk btool --debug user-prefs list | less" and search for tz?
hi
I get this with that command
/dell425srv3/apps/splunk/etc/apps/user-prefs/default/user-prefs.conf [general]
/dell425srv3/apps/splunk/etc/apps/user-prefs/default/user-prefs.conf datasets:showInstallDialog = 1
/dell425srv3/apps/splunk/etc/apps/user-prefs/default/user-prefs.conf search_assistant = compact
/dell425srv3/apps/splunk/etc/apps/user-prefs/default/user-prefs.conf search_auto_format = 0
/dell425srv3/apps/splunk/etc/apps/user-prefs/default/user-prefs.conf search_line_numbers = 0
/dell425srv3/apps/splunk/etc/apps/user-prefs/default/user-prefs.conf search_syntax_highlighting = light
/dell425srv3/apps/splunk/etc/apps/user-prefs/default/user-prefs.conf [general_default]
/dell425srv3/apps/splunk/etc/apps/user-prefs/default/user-prefs.conf appOrder = search
/dell425srv3/apps/splunk/etc/apps/user-prefs/default/user-prefs.conf default_earliest_time = -24h@h
/dell425srv3/apps/splunk/etc/apps/user-prefs/default/user-prefs.conf default_latest_time = now
/dell425srv3/apps/splunk/etc/apps/user-prefs/default/user-prefs.conf default_namespace = $default
/dell425srv3/apps/splunk/etc/apps/user-prefs/default/user-prefs.conf hideInstrumentationOptInModal = 0
/dell425srv3/apps/splunk/etc/apps/user-prefs/default/user-prefs.conf showWhatsNew = 1
/dell425srv3/apps/splunk/etc/apps/user-prefs/local/user-prefs.conf [role_consultant]
/dell425srv3/apps/splunk/etc/apps/user-prefs/local/user-prefs.conf default_namespace = murex_mlc
/dell425srv3/apps/splunk/etc/apps/user-prefs/local/user-prefs.conf [role_consultant_read]
/dell425srv3/apps/splunk/etc/apps/user-prefs/local/user-prefs.conf default_namespace = murex_mlc
so when i open it up i get this.
/dell425srv3/apps/splunk/etc/apps/user-prefs/local/user-prefs.conf
[role_consultant]
default_namespace = murex_mlc
[role_consultant_read]
default_namespace = murex_mlc
Not sure if i should try and add in my TZ here or create
etc/system/local/user-prefs.conf
Yeah, add the tz to your local/user-prefs.conf that you have. I see no reason why that shouldn't work.
Bad news i added this to splunk/etc/apps/user-prefs/local/user-prefs.conf
I log into my two different sights(same user consultant) - One in paris via Citrix and on in Dublin, the one in Dublin is not behaving like the one in paris.
[default]
tz = Europe/Paris
[role_consultant]
default_namespace = murex_mlc
tz = Europe/Paris
[role_consultant_read]
default_namespace = murex_mlc
tz = Europe/Paris
Are they both suppose to be Europe/Paris? You can do the btool and the one not acting correctly and see if the config is there.
hi
I have the same issues, did you get a fix for this?
This answer is great. Thank you.
OF the two suggestions , what one worked?
I believe the first one worked for me.