I have a question,
Can I view time zone setting in the Splunk web? I need to check what time zone been set in Splunk.
Example log taken from Splunk
Jan 27 08:53:39 xx.xx.xxx.xxx Jan 27 16:51:35 [2015-01-27 16:51:35.984
If you refer to example above, highlighted Italic is refer to ESX Server. ESX setting UTC Time Zone.
To more detail and make easier reader understand.
1. When I click the Splunk App and it appear Internet Explorer (Splunk > Home)
2. Then I click search
3. Then I click Data Summary and appear dialog box to me to choose which ESX. This is more interesting part because column Last Update in my Time Zone
4. After clicking one host then it appear the log report (like example)
Splunk install in Windows Server 2008 and time zone in Desktop is local time(+8). I said Splunk installation on this server due to I can see Splunk web services in this server. Lastly I check file "props.conf" not found any TZ.
Hope someone can help me regarding this.
Martin already answered to this question.
"Why is timestamp different in Splunk compared to the logs?"
1. At index time, Splunk parse and set time stamp in epoch time.
2. At search time, Splunk search events with epoch time based on User's timezone so that user can see when the event happened based on user's time.