Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Timezones - what am i missing?

Sqig
Path Finder
‎09-28-2012 12:52 PM

Hi.

We have some log data where each line starts with a timestamp that looks like this:

2012-09-28 15:44:35,302

Nothing else in the data looks anything like a timestamp.

Splunk is indexing this as UTC, so it displays 4 hours earlier.

The timezone on the source server is in Eastern.

We are running a Splunk Universal Forwarder there, so on the Heavy Forwarder, I have the following:

[my_sourcetype_here]
TZ = US/Eastern

For what it's worth, I also tried with [host::hostnamepattern*]

Neither seem to have taken effect with newly-indexed events, despite actually restarting the Heavy forwarders!

Am I missing something here?

Thanks.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Sqig
Path Finder
‎10-02-2012 10:43 AM

If I could remove a question I have posted, I would in this case. This was user error on my part and not anything to do with Splunk.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

Sqig
Path Finder
‎10-02-2012 10:43 AM

If I could remove a question I have posted, I would in this case. This was user error on my part and not anything to do with Splunk.

0 Karma
Reply
Solved! Jump to solution

sowings
Splunk Employee
Splunk Employee
‎10-02-2012 10:15 AM

If Splunk is indexing in UTC, then your server is likely set to use UTC. See this link for help on how Splunk sets time zones:

http://docs.splunk.com/Documentation/Splunk/4.3.4/Data/ApplyTimezoneOffsetsToTimeStamps

0 Karma
Reply
Solved! Jump to solution

jcaffero
Explorer
‎10-02-2012 10:13 AM

I was having a similar issue, running in Central time. I created a props.conf file within the C:\Program Files\Splunk\etc\system\local filepath with just the value TZ = UTC-6, Eastern would likely be UTC-5 and my timestamps are displaying correctly. Unfortunately I don't see my props.conf file in that directory anymore but the timestamps are still working correctly.

JC

0 Karma
Reply
Solved! Jump to solution

kristian_kolb
Ultra Champion
‎09-28-2012 01:19 PM

A bit unclear about the setup - is it UF -> HF -> Indexer?

TZ settings should go to where the parsing phase takes place - in the above scenario, that would be the HF (As can be seen here).

Have you tried either EST or -04:00 instead of US/Eastern?

/Kristian

Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...