Getting Data In

How to set a default timezone for an entire multisite Splunk deployment?

Contributor

Hi,

I'm creating a multisite Splunk deployment with timezone differences. Since most users do not change their timezone perf and it's set to default, it could change depending on which search head and indexer they pull from. Is there a configuration setting that would set the timezone for the entire Splunk environment? I would imagine I would need to set the indexers and the search heads to ensure the results are static, correct? Any recommendations on how I should approach this?

TIA,
Todd

0 Karma
1 Solution

Legend

There are two major locations for timezone:
1 - in the data ingestion process - the timezone is essential to making sure that the timestamp is accurate for every event
2 - in the user interface (at search time) - the user's timezone controls how the timestamp is displayed

Data ingestion: the Splunk Admin must make appropriate time and timezone settings on the forwarders and indexers, using props.conf

Search time: users can choose a timezone, or you can set one by default, using user-prefs.conf - must be done on the search head(s)
Although it is not explicitly documented, try this in etc/system/local/user-prefs.conf

[default]
# Only canonical timezone names such as America/Los_Angeles are allowed
 tz = America/Los_Angeles

[general_default]
default_earliest_time = -24h@h

If this doesn't work, try setting the tz explicitly for each role (a bit more painful, but the documented way):

[role_power]
tz =  America/Los_Angeles
lang = en-US

[role_user]
tz = GMT

View solution in original post

Legend

There are two major locations for timezone:
1 - in the data ingestion process - the timezone is essential to making sure that the timestamp is accurate for every event
2 - in the user interface (at search time) - the user's timezone controls how the timestamp is displayed

Data ingestion: the Splunk Admin must make appropriate time and timezone settings on the forwarders and indexers, using props.conf

Search time: users can choose a timezone, or you can set one by default, using user-prefs.conf - must be done on the search head(s)
Although it is not explicitly documented, try this in etc/system/local/user-prefs.conf

[default]
# Only canonical timezone names such as America/Los_Angeles are allowed
 tz = America/Los_Angeles

[general_default]
default_earliest_time = -24h@h

If this doesn't work, try setting the tz explicitly for each role (a bit more painful, but the documented way):

[role_power]
tz =  America/Los_Angeles
lang = en-US

[role_user]
tz = GMT

View solution in original post

Explorer

Hi,

I need to change the tz for all the users and roles to Oslo Norway timezone.
(GMT+01:00)

But I cant find system folder under etc folder on our search head.

Instead we have below path:
/opt/splunk/etc/apps/user-prefs/local/user-prefs.conf
/opt/splunk/etc/apps/user-prefs/default/user-prefs.conf

I tried adding below stanzas in /opt/splunk/etc/apps/user-prefs/local/user-prefs.conf and restarted splunk, but its not working.

[default]
tz = Europe/Amsterdam

[general_default]
default_earliest_time = -24h@h

Kindly suggest where I am wrong

Regards,
Ravikiran Shikchi

0 Karma

Legend

If the file $SPLUNK_HOME/etc/system/local/user-prefs.conf does not exist, then you must create it with the contents shown.

0 Karma

Motivator

HI

Thanks for your help.

I have created this file however when i log in from DUBLIN with two users
Admin = Default Time Zone
Consultant = Paris Time Zone

I still get the issues that after i do an action in my GUI it acts differently to when i log in Via CITRIX from PARIS.

0 Karma

Contributor

Can you do a "/opt/splunk/bin/splunk btool --debug user-prefs list | less" and search for tz?

0 Karma

Motivator

hi

I get this with that command

/dell425srv3/apps/splunk/etc/apps/user-prefs/default/user-prefs.conf [general]
/dell425srv3/apps/splunk/etc/apps/user-prefs/default/user-prefs.conf datasets:showInstallDialog = 1
/dell425srv3/apps/splunk/etc/apps/user-prefs/default/user-prefs.conf search_assistant = compact
/dell425srv3/apps/splunk/etc/apps/user-prefs/default/user-prefs.conf search_auto_format = 0
/dell425srv3/apps/splunk/etc/apps/user-prefs/default/user-prefs.conf search_line_numbers = 0
/dell425srv3/apps/splunk/etc/apps/user-prefs/default/user-prefs.conf search_syntax_highlighting = light
/dell425srv3/apps/splunk/etc/apps/user-prefs/default/user-prefs.conf [general_default]
/dell425srv3/apps/splunk/etc/apps/user-prefs/default/user-prefs.conf appOrder = search
/dell425srv3/apps/splunk/etc/apps/user-prefs/default/user-prefs.conf default_earliest_time = -24h@h
/dell425srv3/apps/splunk/etc/apps/user-prefs/default/user-prefs.conf default_latest_time = now
/dell425srv3/apps/splunk/etc/apps/user-prefs/default/user-prefs.conf default_namespace = $default
/dell425srv3/apps/splunk/etc/apps/user-prefs/default/user-prefs.conf hideInstrumentationOptInModal = 0
/dell425srv3/apps/splunk/etc/apps/user-prefs/default/user-prefs.conf showWhatsNew = 1
/dell425srv3/apps/splunk/etc/apps/user-prefs/local/user-prefs.conf   [role_consultant]
/dell425srv3/apps/splunk/etc/apps/user-prefs/local/user-prefs.conf   default_namespace = murex_mlc
/dell425srv3/apps/splunk/etc/apps/user-prefs/local/user-prefs.conf   [role_consultant_read]
/dell425srv3/apps/splunk/etc/apps/user-prefs/local/user-prefs.conf   default_namespace = murex_mlc

so when i open it up i get this.
/dell425srv3/apps/splunk/etc/apps/user-prefs/local/user-prefs.conf

[role_consultant]
default_namespace = murex_mlc

[role_consultant_read]
default_namespace = murex_mlc

Not sure if i should try and add in my TZ here or create
etc/system/local/user-prefs.conf

0 Karma

Contributor

Yeah, add the tz to your local/user-prefs.conf that you have. I see no reason why that shouldn't work.

0 Karma

Motivator

Bad news i added this to splunk/etc/apps/user-prefs/local/user-prefs.conf

I log into my two different sights(same user consultant) - One in paris via Citrix and on in Dublin, the one in Dublin is not behaving like the one in paris.

[default]
tz = Europe/Paris

[role_consultant]
default_namespace = murex_mlc
tz = Europe/Paris

[role_consultant_read]
default_namespace = murex_mlc
tz = Europe/Paris

0 Karma

Contributor

Are they both suppose to be Europe/Paris? You can do the btool and the one not acting correctly and see if the config is there.

0 Karma

Motivator

hi

I have the same issues, did you get a fix for this?

0 Karma

Contributor

This answer is great. Thank you.

0 Karma

Motivator

OF the two suggestions , what one worked?

0 Karma

Contributor

I believe the first one worked for me.

0 Karma