I too am attempting to view a report and have the times show up in a different time zone.
Your solution simply changes the time, then displays this incorrect time in the "local" timezone so it appears correct.
This does not seem correct to me.
(Using an American example)
Let's say something happened at noon eastern time (-4:00).
This event correctly gets logged as happening at noon eastern, then I display it using my splunk server in the mountain time zone, it shows up as happening at 10:00 (which is correct).
If I use your approach, I change the time so that the report thinks it happened at 14:00 eastern, then when that time is displayed for the mountain time zone, it shows up as 12:00.
Although the string "12:00" is what I want, this seems a wrong way to do it.
This breaks if I decide to print out the timezone as well as the time.
It would then show up as "12:00 MST". This also would be fragile if I started to correlate the times with anything else.
What I would like is a way to say I want this report to show up in eastern time (even though the splunk server is in the mountain time zone), then all times would show up in the correct format no matter what.
My other question is when I view a report on splunk (using the web interface), how does splunk decide what timezone to use for displaying the data, does it use the TZ environment variable of the splunk user on the server? Does it use something in the browser (locale)?
Something else? Can this be overwritten per user?
-Kevin
... View more