Getting Data In

Why is timestamp different in Splunk compared to the logs and can I view the timezone setting in Splunk Web?

New Member

I have a question,

Can I view time zone setting in the Splunk web? I need to check what time zone been set in Splunk.

Example log taken from Splunk
Jan 27 08:53:39 xx.xx.xxx.xxx Jan 27 16:51:35 [2015-01-27 16:51:35.984

If you refer to example above, highlighted Italic is refer to ESX Server. ESX setting UTC Time Zone.

To more detail and make easier reader understand.
1. When I click the Splunk App and it appear Internet Explorer (Splunk > Home)
2. Then I click search
3. Then I click Data Summary and appear dialog box to me to choose which ESX. This is more interesting part because column Last Update in my Time Zone
4. After clicking one host then it appear the log report (like example)

Additional Infomation
Splunk install in Windows Server 2008 and time zone in Desktop is local time(+8). I said Splunk installation on this server due to I can see Splunk web services in this server. Lastly I check file "props.conf" not found any TZ.

Hope someone can help me regarding this.

Thanks,

0 Karma

SplunkTrust
SplunkTrust

You can see and edit the time zone used to display data for your user by clicking your user name in the top bar of the Splunk UI.

Splunk Employee
Splunk Employee

Martin already answered to this question.

Additional Info.

"Why is timestamp different in Splunk compared to the logs?"
1. At index time, Splunk parse and set time stamp in epoch time.
2. At search time, Splunk search events with epoch time based on User's timezone so that user can see when the event happened based on user's time.

http://docs.splunk.com/Documentation/Splunk/6.2.1/data/Applytimezoneoffsetstotimestamps

0 Karma