Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Ignore time zone in searches
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, is there a way of ignoring the time zone in the searches? Currently, Splunk will reinterpret the difference in time zones. Because of daylight savings time, Splunk will offset the results by one hour from the actual timestamp. So, I would like to know what actually happened at say 11:23 and not 11:23 minus an hour.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
At the moment the best way to do this is for the user to adjust their timezone settings to match the server Or the time they are investigating. Otherwise just making the adjustments when they search 🙂
You could submit an enhancement request for this at https://www.splunk.com/page/submit_issue
It may be something that is included, really I would say that its just a matter of user training, or ensuring that your infrastructure operates on UTC to make life even easier!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The following macro formats the time to a standard utc timezone:
[utc]
definition = eval time_offset=strftime(_time,"%:::z") | convert num(time_offset) | eval time_offset=if(time_offset<=0, "+" . -time_offset, tostring(-time_offset)), time_utc=relative_time(_time,time_offset . "h") | convert timeformat="%F %T UTC" ctime(time_utc) | convert `timeformat` ctime(_time) AS time_localThe following macro sets the time to the timezone of your choice:
[tz(1)]
definition = eval utc_offset=strftime(_time,"%:::z") | convert num(utc_offset) | eval tz_offset = $tz$ - utc_offset, tz_offset = if(tz_offset>=0,"+".tz_offset,tz_offset), utc_offset = if(utc_offset<=0,"+".-utc_offset,tostring(-utc_offset)) | eval time_tz=relative_time(_time, tz_offset . "h"), utc_time=relative_time(_time,utc_offset . "h") | convert timeformat="%F %T UTC" ctime(utc_time) | convert timeformat="%F %T UTC$tz$" ctime(time_tz) | convert `timeformat` ctime(_time) AS my_time | fields - tz_offset utc_offset* | rename time_tz AS "time:$tz$"
args = tz
[timeformat]
definition = timeformat="%F %T UTC%:::z %Z"- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
At the moment the best way to do this is for the user to adjust their timezone settings to match the server Or the time they are investigating. Otherwise just making the adjustments when they search 🙂
You could submit an enhancement request for this at https://www.splunk.com/page/submit_issue
It may be something that is included, really I would say that its just a matter of user training, or ensuring that your infrastructure operates on UTC to make life even easier!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks, Drainy!
I don't think user training is going to be that effective, and switching timezones is only going to help if I can switch to a zone which is identical, but without DST.
Changing to UTC is not an option, so I hope an enhancement request might help.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
