Getting Data In
Highlighted

Timezone and Timestamp modification at search/report time?

Engager

We have standardized our infrastructure on UTC, but we want to generate reports in PST. Is there a way to specify a timezone transform at search time such that the events themselves don’t need to be modified? the link below would change the actual messages as they come in and I want to keep the data in splunk and my various raw syslog messages consistent.

http://www.splunk.com/base/Documentation/4.1.3/Admin/Applytimezoneoffsetstotimestamps

Tags (2)
Highlighted

Re: Timezone and Timestamp modification at search/report time?

Motivator

Try using eval to subtract the difference between UTC and PST (in seconds).

| eval _time=_time-28800

Highlighted

Re: Timezone and Timestamp modification at search/report time?

Explorer

Could you handle daylight savings time dynamically?

0 Karma
Highlighted

Re: Timezone and Timestamp modification at search/report time?

Am i missing something? PST = -7:00 of GMT, so this should be 76060 = 25200. Why is it 28800?

0 Karma
Highlighted

Re: Timezone and Timestamp modification at search/report time?

Path Finder

Pacific Time (PT) is -7 OR -8 of GMT depending on Daylight Saving Time. From winter to spring it's -8 (PST), from spring to winter it's -7 (PDT).

0 Karma
Highlighted

Re: Timezone and Timestamp modification at search/report time?

Motivator

I downvoted this post because epoch time!

Highlighted

Re: Timezone and Timestamp modification at search/report time?

Motivator

9 years later?

Highlighted

Re: Timezone and Timestamp modification at search/report time?

Motivator

The answer is as wrong now as it was 9 years ago. Epoch time exists independent of time zones, but your answer alters epoch time without consideration for what epoch time is. No sense continuing the nine years of confusion simply because no one noticed the mistake before.

0 Karma
Highlighted

Re: Timezone and Timestamp modification at search/report time?

Builder

I downvoted this post because does not contribute to the content of the post at all.

0 Karma
Highlighted

Re: Timezone and Timestamp modification at search/report time?

Path Finder

I too am attempting to view a report and have the times show up in a different time zone.

Your solution simply changes the time, then displays this incorrect time in the "local" timezone so it appears correct.

This does not seem correct to me.

(Using an American example) Let's say something happened at noon eastern time (-4:00). This event correctly gets logged as happening at noon eastern, then I display it using my splunk server in the mountain time zone, it shows up as happening at 10:00 (which is correct).

If I use your approach, I change the time so that the report thinks it happened at 14:00 eastern, then when that time is displayed for the mountain time zone, it shows up as 12:00.

Although the string "12:00" is what I want, this seems a wrong way to do it. This breaks if I decide to print out the timezone as well as the time. It would then show up as "12:00 MST". This also would be fragile if I started to correlate the times with anything else.

What I would like is a way to say I want this report to show up in eastern time (even though the splunk server is in the mountain time zone), then all times would show up in the correct format no matter what.

My other question is when I view a report on splunk (using the web interface), how does splunk decide what timezone to use for displaying the data, does it use the TZ environment variable of the splunk user on the server? Does it use something in the browser (locale)? Something else? Can this be overwritten per user?

-Kevin