Getting Data In

Where can I find the log source timezone that was used at index time?

New Member

Hello everyone,

It's my understanding that as far as timezone (TZ) information is concerned Splunk will attempt to determine the log source TZ at index then convert and store in UTC by default. Is there any type of global variable that can be used to display that indexed timezone? For forensic purposes and to verify the validity of the information it would be helpful if I could display this information in searches and dashboards.

Thank you

0 Karma

Esteemed Legend

Download and install the "Meta Woot!" and "Data Curator" apps and buckle your seatbelt for a bumpy ride through "Is it really this %^&* bad?" (it is). Let me know if you need help unraveling and mitigating the situation (it can be quite complex); we do custom PS for this frequently (it is a specialized skillset).

0 Karma

Revered Legend

You can look at date_zone field to know the timezone offset from UTC for the event.

0 Karma

New Member

I checked a few indexes and I'm not seeing a date_zone field anywhere. If I could find that field or something similar that would definitely be my option. Any reason it wouldn't be there?

Edit: I may have answered my own question

Note: Only events that have timestamp information in them as generated by their respective systems will have date_* fields. If an event has a date_* field, it represents the value of time/date directly from the event itself. If you have specified any timezone conversions or changed the value of the time/date at indexing or input time (for example, by setting the timestamp to be the time at index or input time), these fields will not represent that.

0 Karma

Builder

Wouldn't the original log timestamp be in the event itself? You can click the event of interest, expand it, and then select

Event Actions > Show Source as seen here.

The displayed timestamps don't change in the log itself. It's just so that when users search, the logs have the correct +/- TZ with respect to the selected timezone on their account when searching.

0 Karma

New Member

The timestamp is there but if the logsource doesn't contain TZ information within it I have no way of knowing if the TZ of the source data was GMT, EST, etc...

0 Karma

Builder

Ohhh ok. Now I understand what you're saying. Yes, I think you are right that the date_ fields will exist if there is date information within the original log which then allows you to use the date_zone field. Else, you know it is auto generated in some fashion by Splunk.

0 Karma

Builder

To be clear, you are trying to find the timestamp when the indexer parsed the log file?

0 Karma

New Member

The timezone the indexer assigns to the log source prior to converting to UTC (or whatever) when it stores it in the index.

0 Karma