Splunk Search

Cisco Network App and Search & Reporting App Time Difference

splunkot
New Member

With no TZ configured, my Search & Reporting App is displaying the correct time (UTC-10:00 or 13:00 HST) but, my Cisco Networks App is displaying a time 10 hours ahead (23:00 HST) of our local time.

When I edit the props.conf in the TA-cisco_ios folder, I enter "TZ = UTC" under the syslog stanza, now the display time is correct (13:00 HST) for the Cisco Network App, but now the Search & Reporting App is displaying a time 10 hours behind (03:00 HST) our local time.

I tried editing both props.conf in the TA-cisco_ios and search App folders with no success.

All of my event logs' time are correct, so how do I get both Cisco Network and Search & Reporting App to display the correct time?

0 Karma

woodcock
Esteemed Legend

You need to go to <Your Login Here> -> Preferences -> Time zone and set it to your preferred value so that Splunk knows how to translates times to suit your location.

0 Karma

splunkot
New Member

I am not sure why but, the problem corrected itself after deploying:

Splunk App for Windows Infrastructure
Splunk Add-on for Microsoft Windows
Splunk Supporting Add-on for Microsoft Windows Active Directory

Now my Cisco Networks Overview and Search and Reporting display time are both UTC-10.

0 Karma

splunkot
New Member

To confirm, I removed Splunk App for Windows Infrastructure, Splunk Add-on for Microsoft Winows, and Splunk Supporting Add-on for Microsoft Windows Active Directory and the display time for the Cisco Networks Overview and Search and Reporting are still UTC-10.

The display time issue may have been resolved from the recent Splunk 7.2.4.2 update.

0 Karma

lakshman239
Influencer

I assume your search head, indexers are configured with your local time or UTC. What's the time zone configuration in the Cisco IOS devices? If they are in a different timezone, the app/add-on would convert/parse them correctly and send data to your indexer to index in correct timezone. Pls check the props.conf to see if they are matching the TZ of the IOS devices.

0 Karma

splunkot
New Member

I have "clock timezone HST -10" configured on my Cisco IOS devices. My Splunk instance is configured with my local time. I searched all apps\system local props.conf for "TZ" and the only TZ configured is for the TA-cisco_ios app.

0 Karma
Get Updates on the Splunk Community!

Optimize Cloud Monitoring

  TECH TALKS Optimize Cloud Monitoring Tuesday, August 13, 2024  |  11:00AM–12:00PM PST   Register to ...

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...