I've stucked on a couple of issues on Splunk since there was changes in timezone shift in my country.
The main problem that the Splunk treats event data(all these syslog messages are sent in local time) normally and puts correct timestamp in front of them. BUT it shows incorrect time range when I choose option to search in some time range, not "all time", for example "last 15 minutes" or similar in real-time search:
for example, local time is
10:38:02
but when I choose to search for last 15 minutes it shows me no event data and writes this on the top:
1 result in the last 15 minutes (from 09:23:00 to 09:38:02 on Thursday, April 12, 2012)
as you can see, time range there is incorrect with one hour diffirence.
the same time I've got when issued the search
* | stats count AS tnow | eval tnow = now() | convert ctime(tnow)
result is
04/12/2012 09:38:02
there is no TZ settings in my props.conf(C:\Program Files\Splunk\etc\system\local)
local time on windows server and timezone setting is correct.
I only guess that splunk's C:\Program Files\Splunk\share\splunk\zoneinfo.tzpack file(i guess it copy of zoneinfo) is inactual, Because recently Belarus had UTC+02 timezone and now UTC+03.
What is format of this file ? May I somehow view it's content?
... View more