Getting Data In

How to set a default timezone for an entire multisite Splunk deployment?

wweiland
Contributor

Hi,

I'm creating a multisite Splunk deployment with timezone differences. Since most users do not change their timezone perf and it's set to default, it could change depending on which search head and indexer they pull from. Is there a configuration setting that would set the timezone for the entire Splunk environment? I would imagine I would need to set the indexers and the search heads to ensure the results are static, correct? Any recommendations on how I should approach this?

TIA,
Todd

0 Karma
1 Solution

lguinn2
Legend

There are two major locations for timezone:
1 - in the data ingestion process - the timezone is essential to making sure that the timestamp is accurate for every event
2 - in the user interface (at search time) - the user's timezone controls how the timestamp is displayed

Data ingestion: the Splunk Admin must make appropriate time and timezone settings on the forwarders and indexers, using props.conf

Search time: users can choose a timezone, or you can set one by default, using user-prefs.conf - must be done on the search head(s)
Although it is not explicitly documented, try this in etc/system/local/user-prefs.conf

[default]
# Only canonical timezone names such as America/Los_Angeles are allowed
 tz = America/Los_Angeles

[general_default]
default_earliest_time = -24h@h

If this doesn't work, try setting the tz explicitly for each role (a bit more painful, but the documented way):

[role_power]
tz =  America/Los_Angeles
lang = en-US

[role_user]
tz = GMT

View solution in original post

lguinn2
Legend

There are two major locations for timezone:
1 - in the data ingestion process - the timezone is essential to making sure that the timestamp is accurate for every event
2 - in the user interface (at search time) - the user's timezone controls how the timestamp is displayed

Data ingestion: the Splunk Admin must make appropriate time and timezone settings on the forwarders and indexers, using props.conf

Search time: users can choose a timezone, or you can set one by default, using user-prefs.conf - must be done on the search head(s)
Although it is not explicitly documented, try this in etc/system/local/user-prefs.conf

[default]
# Only canonical timezone names such as America/Los_Angeles are allowed
 tz = America/Los_Angeles

[general_default]
default_earliest_time = -24h@h

If this doesn't work, try setting the tz explicitly for each role (a bit more painful, but the documented way):

[role_power]
tz =  America/Los_Angeles
lang = en-US

[role_user]
tz = GMT

tkmads1
Explorer

Hi,

I need to change the tz for all the users and roles to Oslo Norway timezone.
(GMT+01:00)

But I cant find system folder under etc folder on our search head.

Instead we have below path:
/opt/splunk/etc/apps/user-prefs/local/user-prefs.conf
/opt/splunk/etc/apps/user-prefs/default/user-prefs.conf

I tried adding below stanzas in /opt/splunk/etc/apps/user-prefs/local/user-prefs.conf and restarted splunk, but its not working.

[default]
tz = Europe/Amsterdam

[general_default]
default_earliest_time = -24h@h

Kindly suggest where I am wrong

Regards,
Ravikiran Shikchi

0 Karma

lguinn2
Legend

If the file $SPLUNK_HOME/etc/system/local/user-prefs.conf does not exist, then you must create it with the contents shown.

0 Karma

robertlynch2020
Motivator

HI

Thanks for your help.

I have created this file however when i log in from DUBLIN with two users
Admin = Default Time Zone
Consultant = Paris Time Zone

I still get the issues that after i do an action in my GUI it acts differently to when i log in Via CITRIX from PARIS.

0 Karma

wweiland
Contributor

Can you do a "/opt/splunk/bin/splunk btool --debug user-prefs list | less" and search for tz?

0 Karma

robertlynch2020
Motivator

hi

I get this with that command

/dell425srv3/apps/splunk/etc/apps/user-prefs/default/user-prefs.conf [general]
/dell425srv3/apps/splunk/etc/apps/user-prefs/default/user-prefs.conf datasets:showInstallDialog = 1
/dell425srv3/apps/splunk/etc/apps/user-prefs/default/user-prefs.conf search_assistant = compact
/dell425srv3/apps/splunk/etc/apps/user-prefs/default/user-prefs.conf search_auto_format = 0
/dell425srv3/apps/splunk/etc/apps/user-prefs/default/user-prefs.conf search_line_numbers = 0
/dell425srv3/apps/splunk/etc/apps/user-prefs/default/user-prefs.conf search_syntax_highlighting = light
/dell425srv3/apps/splunk/etc/apps/user-prefs/default/user-prefs.conf [general_default]
/dell425srv3/apps/splunk/etc/apps/user-prefs/default/user-prefs.conf appOrder = search
/dell425srv3/apps/splunk/etc/apps/user-prefs/default/user-prefs.conf default_earliest_time = -24h@h
/dell425srv3/apps/splunk/etc/apps/user-prefs/default/user-prefs.conf default_latest_time = now
/dell425srv3/apps/splunk/etc/apps/user-prefs/default/user-prefs.conf default_namespace = $default
/dell425srv3/apps/splunk/etc/apps/user-prefs/default/user-prefs.conf hideInstrumentationOptInModal = 0
/dell425srv3/apps/splunk/etc/apps/user-prefs/default/user-prefs.conf showWhatsNew = 1
/dell425srv3/apps/splunk/etc/apps/user-prefs/local/user-prefs.conf   [role_consultant]
/dell425srv3/apps/splunk/etc/apps/user-prefs/local/user-prefs.conf   default_namespace = murex_mlc
/dell425srv3/apps/splunk/etc/apps/user-prefs/local/user-prefs.conf   [role_consultant_read]
/dell425srv3/apps/splunk/etc/apps/user-prefs/local/user-prefs.conf   default_namespace = murex_mlc

so when i open it up i get this.
/dell425srv3/apps/splunk/etc/apps/user-prefs/local/user-prefs.conf

[role_consultant]
default_namespace = murex_mlc

[role_consultant_read]
default_namespace = murex_mlc

Not sure if i should try and add in my TZ here or create
etc/system/local/user-prefs.conf

0 Karma

wweiland
Contributor

Yeah, add the tz to your local/user-prefs.conf that you have. I see no reason why that shouldn't work.

0 Karma

robertlynch2020
Motivator

Bad news i added this to splunk/etc/apps/user-prefs/local/user-prefs.conf

I log into my two different sights(same user consultant) - One in paris via Citrix and on in Dublin, the one in Dublin is not behaving like the one in paris.

[default]
tz = Europe/Paris

[role_consultant]
default_namespace = murex_mlc
tz = Europe/Paris

[role_consultant_read]
default_namespace = murex_mlc
tz = Europe/Paris

0 Karma

wweiland
Contributor

Are they both suppose to be Europe/Paris? You can do the btool and the one not acting correctly and see if the config is there.

0 Karma

robertlynch2020
Motivator

hi

I have the same issues, did you get a fix for this?

0 Karma

wweiland
Contributor

This answer is great. Thank you.

0 Karma

robertlynch2020
Motivator

OF the two suggestions , what one worked?

0 Karma

wweiland
Contributor

I believe the first one worked for me.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...