Splunk Search

Splunk indexing and time zone normalization

Mag2sub
Path Finder

In absence of device time zone and props setting ...and indexer in UTC ...what time zone is applied to events timestamps as seen in the device logs as it is indexed ?

Does Splunk do any time zone conversion normalization to UTC irrespective of indexer time zone at index time ?

What is the scheduler timezone and time when run from a SH with events collected from indexer ?

Tags (2)
0 Karma

lguinn2
Legend

For each event that Splunk indexes, it creates a field (_time) that contains the UTC time of the event.

Here are the rules that Splunk uses to figure out the UTC time: Specify time zones....
Summary of rules: Splunk looks at the following in order to determine timezone of incoming events

  1. Timezone specified in the event, if there is one
  2. Timezone specified in props.conf, if there is one
  3. Timezone supplied by the forwarder as its system timezone (both forwarder and indexer must be Splunk 6 or later)
  4. System timezone of the indexer

I don't know what you mean by "scheduler timezone". However, when a user runs a search (on a search head or on an indexer), Splunk uses the user's timezone setting (1) to determine the timerange in UTC that should be searched and (2) to display the timestamp (_time) of the results in the user's timezone.

lguinn2
Legend

1) Yes, the indexer converts the time it sees in the event to UTC time, based on the rules I listed. The timestamp that is stored with the events is always UTC.

2) What kind of device? A splunkforwarder knows its system time zone and sends that information along with the events to the indexer. But a device like a firewall that is sending via a UDP/TCP won't provide time zone info to the indexer.

3) The timezone that you see in the browser is based on YOUR display settings. Click on your user name at the top of the page to change your display time zone.

0 Karma

Mag2sub
Path Finder

Thanks !
1 when you say " it creates a field (_time) that contains the UTC time of the event."
Does it normalize or convert to UTC equivalent of time it sees in event

2 if my device is sending utc-5 and there is no prop setting ...indexer in UTC what would be time at index time be ?i ask because the above setting shows up events as utc +5

0 Karma

rsennett_splunk
Splunk Employee
Splunk Employee

You'll want to take a look at this:
http://docs.splunk.com/Documentation/Splunk/6.1/Data/ApplyTimezoneOffsetsToTimeStamps

How Splunk applies time zones
By default, Splunk Enterprise applies time zones using these rules, in this order:

  1. Splunk Enterprise uses any time zone specified in raw event data (for example, PST, -0800).

  2. Splunk Enterprise uses the value of a TZ attribute set in props.conf, if the event matches the host, source, or source type specified by the stanza.

  3. If an event that arrives at an indexer originated at a forwarder, and both the forwarder and the receiving indexer run Splunk Enterprise 6.0 or later, then Splunk Enterprise uses the time zone that the forwarder provides.

  4. Otherwise, Splunk Enterprise uses the time zone of the server that indexes the event.

Note: If you change the time zone setting in the system Splunk Enterprise runs on, you must restart Splunk Enterprise for it to pick up the change.

But to answer your specific question... the SH will adjust what the user see's so that midnight in Greenwich (UTC) will look like 8am to me since I'm in the Pacific Zone. (7am during certain times of the year)

The Scheduler is local to wherever you are sitting... so if I set something to go off at midnight... it's midnight, MY time, irregardless of whether it occurs at 10pm in Texas where the logs are written, since that IS midnight in California. So there is a difference between the raw data and the view of the timestamp for convenience... but it won't change the raw data... That is of course, if you haven't deliberately applied offsets etc...

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!
Get Updates on the Splunk Community!

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...