Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Timezone issue with Splunk on Windows

let_eat_bee
New Member
‎04-12-2012 12:53 AM

I've stucked on a couple of issues on Splunk since there was changes in timezone shift in my country.

The main problem that the Splunk treats event data(all these syslog messages are sent in local time) normally and puts correct timestamp in front of them. BUT it shows incorrect time range when I choose option to search in some time range, not "all time", for example "last 15 minutes" or similar in real-time search:

for example, local time is

10:38:02

but when I choose to search for last 15 minutes it shows me no event data and writes this on the top:

1 result in the last 15 minutes (from 09:23:00 to 09:38:02 on Thursday, April 12, 2012)
as you can see, time range there is incorrect with one hour diffirence.
the same time I've got when issued the search

* | stats count AS tnow | eval tnow = now() | convert ctime(tnow)

result is

04/12/2012 09:38:02

there is no TZ settings in my props.conf(C:\Program Files\Splunk\etc\system\local)

local time on windows server and timezone setting is correct.

I only guess that splunk's C:\Program Files\Splunk\share\splunk\zoneinfo.tzpack file(i guess it copy of zoneinfo) is inactual, Because recently Belarus had UTC+02 timezone and now UTC+03.

What is format of this file ? May I somehow view it's content?

Tags (2)
0 Karma
Reply

let_eat_bee
New Member
‎04-20-2012 12:26 AM

thank you for the answers. As I've already said, I tried to play with TZ in props.conf.
And it affect only on eventdata timestamps, not on that time, taken when "last 15 min" search is chosen(I've mark it in screenshot attatched)
http://imm.io/mCOF
alt text

0 Karma
Reply

let_eat_bee
New Member
‎04-22-2012 07:26 AM

yes, but I use free license with one user
and make changes in config in etc/system/local/props.conf as well which has priority over other configs(per app, per user I mean..)

0 Karma
Reply

araitz
Splunk Employee
Splunk Employee
‎04-20-2012 06:56 AM

Did you see my comment above re: per-user time zones?

0 Karma
Reply

kmattern
Builder
‎04-19-2012 09:25 AM

In your etc/system/local/props.conf add the following stanza

[host::$YOUR_SERVER_NAME$]
TZ=$YOUR_TIME_ZONE$

for example I have my server set to GMT. My stanza looks like this

[host::Win2k8-Splunk]
TZ=GMT
0 Karma
Reply

araitz
Splunk Employee
Splunk Employee
‎04-19-2012 11:19 AM

Don't forget that in 4.3 you can specify a timezone value per user:

http://docs.splunk.com/Documentation/Splunk/4.3.1/Admin/Setupbuilt-inauthentication#Add_and_edit_use...

Reply

let_eat_bee
New Member
‎04-19-2012 05:23 AM

please anyone help me with the problem...

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...