Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Cisco Network App and Search & Reporting App Time Difference

splunkot
New Member
‎02-22-2019 07:21 PM

With no TZ configured, my Search & Reporting App is displaying the correct time (UTC-10:00 or 13:00 HST) but, my Cisco Networks App is displaying a time 10 hours ahead (23:00 HST) of our local time.

When I edit the props.conf in the TA-cisco_ios folder, I enter "TZ = UTC" under the syslog stanza, now the display time is correct (13:00 HST) for the Cisco Network App, but now the Search & Reporting App is displaying a time 10 hours behind (03:00 HST) our local time.

I tried editing both props.conf in the TA-cisco_ios and search App folders with no success.

All of my event logs' time are correct, so how do I get both Cisco Network and Search & Reporting App to display the correct time?

0 Karma
Reply

woodcock
Esteemed Legend
‎04-28-2019 12:00 AM

You need to go to <Your Login Here> -> Preferences -> Time zone and set it to your preferred value so that Splunk knows how to translates times to suit your location.

0 Karma
Reply

splunkot
New Member
‎03-12-2019 05:30 PM

I am not sure why but, the problem corrected itself after deploying:

Splunk App for Windows Infrastructure
Splunk Add-on for Microsoft Windows
Splunk Supporting Add-on for Microsoft Windows Active Directory

Now my Cisco Networks Overview and Search and Reporting display time are both UTC-10.

0 Karma
Reply

splunkot
New Member
‎03-13-2019 01:04 PM

To confirm, I removed Splunk App for Windows Infrastructure, Splunk Add-on for Microsoft Winows, and Splunk Supporting Add-on for Microsoft Windows Active Directory and the display time for the Cisco Networks Overview and Search and Reporting are still UTC-10.

The display time issue may have been resolved from the recent Splunk 7.2.4.2 update.

0 Karma
Reply

lakshman239
Influencer
‎02-23-2019 02:40 PM

I assume your search head, indexers are configured with your local time or UTC. What's the time zone configuration in the Cisco IOS devices? If they are in a different timezone, the app/add-on would convert/parse them correctly and send data to your indexer to index in correct timezone. Pls check the props.conf to see if they are matching the TZ of the IOS devices.

0 Karma
Reply

splunkot
New Member
‎02-25-2019 11:46 AM

I have "clock timezone HST -10" configured on my Cisco IOS devices. My Splunk instance is configured with my local time. I searched all apps\system local props.conf for "TZ" and the only TZ configured is for the TA-cisco_ios app.

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...