Getting Data In

What is the best practice for setting time zone?

srisplunk12
Engager

We have Splunk instances running in EST, however the application log files are in GMT & EST.
When Splunk is indexing the log files in GMT , the time and the timestamp in the event both are showing up in GMT in search.

So, as per the requirement, we are editing the props.conf file to make the time in EST and timestamp in the event in GMT.
I would like to know what is the best practice and is there a global change i can do to fix the timestamp for all the events in Splunk instance to make them in EST regardless of the log file timestamp?

0 Karma

aaraneta_splunk
Splunk Employee
Splunk Employee

@srisplunk12 - Did the answer provided by jkat54 help provide a working solution to your question? If yes, please don't forget to resolve this post by clicking "Accept". If no, please leave a comment with more feedback. Thanks!

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

You will save yourself a lot of grief if you have ALL the servers and logs reporting in UTC, then present them in local time. Failing to enact a simple standard like that, you will be chasing time zones for [ominous voice] the rest of your days.

0 Karma

nickhills
Ultra Champion

Whilst not an easy sell in some cases, we took the decision to use UTC everywhere in our environment.
Servers in US, APAC, EU all on zulu.

Takes a bit of getting used to, but makes tracking and correlating events across regions so much simpler.

If my comment helps, please give it a thumbs up!
0 Karma

jkat54
SplunkTrust
SplunkTrust

You could do something like this:

[host::*]
TZ = EST

But i dont think that's going to be what you want to do. If the log timestamps as GMT you want that specific log to be ingested as GMT like this example:

[source::myLog.txt]
TZ = GMT

This way when you're searching in splunk you dont have an event that happened at 5am GMT showing as 5AM EST... because then when you went to investigate on the server you'd be looking at 5AM EST portions of the logs and seeing 10AM GMT stuff...

IF that makes any sense... best to do by source, sourcetype or host if possible.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...