Searching indexes with your timezone set different...

mtmoore · ‎02-05-2014

Our data's date field uses UTC for all data across the globe for this one set of data. This is fine.

When a user runs a search using earliest and latest, unless I am mistaken, the date/time field it uses will be the timestamp placed on the data by Splunk and not the date field that is in the logs.

This is all well and good if the 2 date/times match up - even then though the user can change their timezone and this goes out of whack.

How can I force the search to look at the last 7 days using the UTC date/time stamp within the log itself and not Splunk's date/time stamp?

Thanks!

blebit · ‎02-05-2014

or you can edit from your server

props.conf

[host:: the_host]
TZ = Location_TimeZone

mtmoore · ‎02-05-2014

How will this force a search to use the date time zone of the raw log as opposed to the Splunk date/time based on your personal timezone settings?

blebit · ‎02-05-2014

props.conf @ remote location

TZ=Location_TimeZone

Searching indexes with your timezone set differently to the data's timezone

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Join the Conversation