Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: how to change timezone for splunk-add-onn for ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
how to change timezone for splunk-add-onn for google cloud platform
hi, please i would like to ask for help to determine how to convert the timezone of events i am indexing with the gcp cloud plattform add-on before they are indexed. Events arrive today in UTC, and I need to convert that time to gmt-4. I have been trying from the sourcetype configuration, without success. I was also seeing this link, without much success
https://docs.splunk.com/Documentation/Splunk/8.2.1/Data/Applytimezoneoffsetstotimestamps
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When you say you need to convert that time, what do you mean exactly?
Events are stored using UTC at index time. At search time Splunk uses the time zone set on the Splunk instance (default time zone), unless a given user has changes that.
I think the latter is what you are after is displaying the correct time when searching. For this you don't need any conversion, just go to your user preferences and change your time zone to GMT. Splunk will then automatically adjust the results for you.
An upvote would be appreciated and Accept Solution if it helps!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, this problem was resolved with this article:
https://docs.splunk.com/Documentation/Splunk/8.2.1/Data/Configuretimestamprecognition
thanks so much
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We are in EST and all data from Google in in UTC, so all of our data was four hours off:
index=<your gcp index> |
eval indextime=strftime(_indextime,"%Y-%m-%d %H:%M:%S") |
eval delta = _indextime - _time |
table sourcetype, _time, _indextime, indextime, delta |
sort indextime desc
sourcetype _time indextime delta
| google:gcp:pubsub:message | 2021-09-14 21:13:45.381 | 2021-09-14 17:13:48 | -14397.381004 |
| google:gcp:pubsub:message | 2021-09-14 21:13:47.272 | 2021-09-14 17:13:47 | -14400.272801 |
| google:gcp:pubsub:message | 2021-09-14 21:13:46.430 | 2021-09-14 17:13:47 | -14399.43 |
jofret, is this the change you made? Edit file /opt/splunk/etc/apps/Splunk_TA_google-cloudplatform/local/props.conf
[google:billing:json]
TZ = UTC
[google:billing:csv]
TZ = UTC
[google:gcp:billing:report]
TZ = UTC
[google:gcp:pubsub:message]
TZ = UTC
[google:gcp:pubsub:audit:auth]
TZ = UTC
[google:gsuite:pubsub:audit:auth]
TZ = UTC
[google:gcp:gsuite:admin:directory:users]
TZ = UTC
[google:gcp:buckets:xmldata]
TZ = UTC
[google:gcp:buckets:jsondata]
TZ = UTC
[google:gcp:buckets:*data]
TZ = UTC
[google:gcp:compute:instance]
TZ = UTC
[google:gcp:compute:vpc_flows]
TZ = UTC
After refreshing the heavy forwarder this Splunk add is running on the the issue seems to be resolved.
sourcetype _time indextime delta
| google:gcp:pubsub:message | 2021-09-14 17:20:38.147 | 2021-09-14 17:20:39 | 0.852020 |
| google:gcp:pubsub:message | 2021-09-14 17:20:38.146 | 2021-09-14 17:20:39 | 0.853950 |
| google:gcp:pubsub:message | 2021-09-14 17:20:38.097 | 2021-09-14 17:20:39 | 0.902150 |
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
