We have standardized our infrastructure on UTC, but we want to generate reports in PST. Is there a way to specify a timezone transform at search time such that the events themselves don’t need to be modified? the link below would change the actual messages as they come in and I want to keep the data in splunk and my various raw syslog messages consistent.
Pacific Time (PT) is -7 OR -8 of GMT depending on Daylight Saving Time. From winter to spring it's -8 (PST), from spring to winter it's -7 (PDT).
The answer is as wrong now as it was 9 years ago. Epoch time exists independent of time zones, but your answer alters epoch time without consideration for what epoch time is. No sense continuing the nine years of confusion simply because no one noticed the mistake before.
I too am attempting to view a report and have the times show up in a different time zone.
Your solution simply changes the time, then displays this incorrect time in the "local" timezone so it appears correct.
This does not seem correct to me.
(Using an American example) Let's say something happened at noon eastern time (-4:00). This event correctly gets logged as happening at noon eastern, then I display it using my splunk server in the mountain time zone, it shows up as happening at 10:00 (which is correct).
If I use your approach, I change the time so that the report thinks it happened at 14:00 eastern, then when that time is displayed for the mountain time zone, it shows up as 12:00.
Although the string "12:00" is what I want, this seems a wrong way to do it. This breaks if I decide to print out the timezone as well as the time. It would then show up as "12:00 MST". This also would be fragile if I started to correlate the times with anything else.
What I would like is a way to say I want this report to show up in eastern time (even though the splunk server is in the mountain time zone), then all times would show up in the correct format no matter what.
My other question is when I view a report on splunk (using the web interface), how does splunk decide what timezone to use for displaying the data, does it use the TZ environment variable of the splunk user on the server? Does it use something in the browser (locale)? Something else? Can this be overwritten per user?