The timezone for Turkey will stay at the Daylight ...

christopherr_sp · ‎10-20-2016

In Turkey, the clock is no longer going back during the Winter months the timezone will always be:

GMT +03:00

[https://www.timeanddate.com/worldclock/turkey/istanbul][1]

christopherr_sp · ‎03-15-2017

Splunk handles timezones with the following order:

(1) A time zone indicator in the raw event data e.g. -800, GMT-8 or PST

(2) The value of a TZ attribute set in props.conf
* Checks the host, source or sourcetype stanzas
* If a forwarder is used, the forwarder-provided time zone is used

e.g.

[host::myserver*] 
TZ = Europe/Moscow 

[source::/mnt/eu_east/*] 
TZ = Europe/Volgograd

(3) If all else fails, Splunk applies the timezone of the indexer's host server.

https://en.wikipedia.org/wiki/List_of_tz_database_time_zones

So in the meantime you just need to use a timezone (close to Turkey) that has +03:00 all year around until a patch has been created.

    CC* Coordinates*      TZ*                Comments*                   UTC offset  UTC DST offset Notes 

    RU  +554521+0373704 Europe/Moscow      MSK+00  - Moscow area           +03:00   +03:00 
    RU  +4844+04425     Europe/Volgograd    MSK+00  - Volgograd, Saratov    +03:00  +03:00

The following Enhancement Request has been logged:

SPL-129875 Turkey timezone change to +03:00 (permanent Daylight Saving)

The timezone for Turkey will stay at the Daylight Saving Time of UTC/GMT +03:00. What can be carried out in Splunk so this timezone is picked up.

Don't wait! Accept the Mission Possible: Splunk Adoption Challenge Now and Win ...

Unify Your SecOps with Splunk Mission Control

Data Preparation Made Easy: SPL2 for Edge Processor