It's my understanding that as far as timezone (TZ) information is concerned Splunk will attempt to determine the log source TZ at index then convert and store in UTC by default. Is there any type of global variable that can be used to display that indexed timezone? For forensic purposes and to verify the validity of the information it would be helpful if I could display this information in searches and dashboards.
Download and install the "Meta Woot!" and "Data Curator" apps and buckle your seatbelt for a bumpy ride through "Is it really this %^&* bad?" (it is). Let me know if you need help unraveling and mitigating the situation (it can be quite complex); we do custom PS for this frequently (it is a specialized skillset).
I checked a few indexes and I'm not seeing a date_zone field anywhere. If I could find that field or something similar that would definitely be my option. Any reason it wouldn't be there?
Edit: I may have answered my own question
Note: Only events that have timestamp information in them as generated by their respective systems will have date_* fields. If an event has a date_* field, it represents the value of time/date directly from the event itself. If you have specified any timezone conversions or changed the value of the time/date at indexing or input time (for example, by setting the timestamp to be the time at index or input time), these fields will not represent that.
Wouldn't the original log timestamp be in the event itself? You can click the event of interest, expand it, and then select
Event Actions > Show Source as seen .
The displayed timestamps don't change in the log itself. It's just so that when users search, the logs have the correct +/- TZ with respect to the selected timezone on their account when searching.
Ohhh ok. Now I understand what you're saying. Yes, I think you are right that the
date_ fields will exist if there is date information within the original log which then allows you to use the
date_zone field. Else, you know it is auto generated in some fashion by Splunk.