Solved: Re: Splunk displaying events with the correct time...

Ant1D · ‎09-04-2012

Hi,

I have some data in an index where the events all begin with a UTC timestamp. My Splunk indexer server is in the UK and I would like the timestamps for these events to be interpreted as being in the Splunk indexer timezone (UK) instead of the UTC.

How can I do this?

At present, if a new event arrives at 11AM UK time, the timestamp will say 10AM which is the UTC time so it means that any searches that I do over the last 60 minutes or less will return no results which should not be the case.

Thanks in advance for your help.

Ant1D · ‎09-04-2012

The solution is to make the following addition to your props.conf file:

[the_sourcetype_name] TZ = the_timezone_that_your_timestamps_are_in

For this question, you would need to add TZ = UTC

View solution in original post

Ant1D · ‎09-04-2012

The solution is to make the following addition to your props.conf file:

[the_sourcetype_name] TZ = the_timezone_that_your_timestamps_are_in

For this question, you would need to add TZ = UTC

whitewool · ‎09-04-2012

Here is the link for TZ settings in the Splunk Docs

http://docs.splunk.com/Documentation/Splunk/4.3.3/Data/ApplyTimezoneOffsetstotimestamps

Ant1D · ‎09-04-2012

thanks for the link

Ant1D · ‎09-04-2012

I tried using the TZ = value attribute before and it didn't work. I guess I can try this again

MuS · ‎09-04-2012

Hi Ant1D

have you check the docs on how to set different timezones?

cheers,

MuS

Ant1D · ‎09-04-2012

thanks for the link

Ant1D · ‎09-04-2012

Looks to be working now

Ant1D · ‎09-04-2012

I tried using the TZ = value attribute before and it didn't work. I guess I can try this again

Splunk displaying events with the correct timezone

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!