Getting Data In

Timezones differ for User's position and internal events timestamps

New Member

Hi all,
In our case timestamps within the splunk events are standard GMT

where people working from different timezones, the event time itself and the timestamps within the events differ. Is there a best practise to get those timestamps equal no matter where somebody is working in the world ?
Of course you can set user settings to the standard GMT for having those time equal but we want to have this translated to every timezone a user is in.

Tags (1)
0 Karma

Esteemed Legend

You have to tell Splunk how to convert the timestamp strings inside of each event to GMT, using TZ settings in props.conf and then each user should set his own personal value in <My User Name> -> Account settings -> Time zone. Then each user's personal timezone settings will be used for yesterday, etc.

0 Karma


Good choice to have the timestamps in GMT. Splunk defaults to that for the event _time, but if you have all your servers set to that as well, you simplify your life immensely.

Honestly, this is a user education issue. If you attempt to mask the real data as if it was always in local time (no matter where it happened, or where it was being viewed) then you are just adding a massive technical problem, confusing everyone on what the actual form of the event is, and simultaneously multiplying your training problems.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...