Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Where can I find the log source timezone that was used at index time?

plushed
New Member
‎11-30-2017 06:30 AM

Hello everyone,

It's my understanding that as far as timezone (TZ) information is concerned Splunk will attempt to determine the log source TZ at index then convert and store in UTC by default. Is there any type of global variable that can be used to display that indexed timezone? For forensic purposes and to verify the validity of the information it would be helpful if I could display this information in searches and dashboards.

Thank you

0 Karma
Reply

woodcock
Esteemed Legend
‎12-04-2017 07:49 PM

Download and install the "Meta Woot!" and "Data Curator" apps and buckle your seatbelt for a bumpy ride through "Is it really this %^&* bad?" (it is). Let me know if you need help unraveling and mitigating the situation (it can be quite complex); we do custom PS for this frequently (it is a specialized skillset).

0 Karma
Reply

somesoni2
Revered Legend
‎11-30-2017 08:53 AM

You can look at date_zone field to know the timezone offset from UTC for the event.

0 Karma
Reply

plushed
New Member
‎11-30-2017 12:43 PM

I checked a few indexes and I'm not seeing a date_zone field anywhere. If I could find that field or something similar that would definitely be my option. Any reason it wouldn't be there?

Edit: I may have answered my own question

Note: Only events that have timestamp information in them as generated by their respective systems will have date_* fields. If an event has a date_* field, it represents the value of time/date directly from the event itself. If you have specified any timezone conversions or changed the value of the time/date at indexing or input time (for example, by setting the timestamp to be the time at index or input time), these fields will not represent that.

0 Karma
Reply

DEAD_BEEF
Builder
‎11-30-2017 05:09 PM

Wouldn't the original log timestamp be in the event itself? You can click the event of interest, expand it, and then select

Event Actions > Show Source as seen here.

The displayed timestamps don't change in the log itself. It's just so that when users search, the logs have the correct +/- TZ with respect to the selected timezone on their account when searching.

0 Karma
Reply

plushed
New Member
‎12-01-2017 06:52 AM

The timestamp is there but if the logsource doesn't contain TZ information within it I have no way of knowing if the TZ of the source data was GMT, EST, etc...

0 Karma
Reply

DEAD_BEEF
Builder
‎12-01-2017 07:35 AM

Ohhh ok. Now I understand what you're saying. Yes, I think you are right that the date_ fields will exist if there is date information within the original log which then allows you to use the date_zone field. Else, you know it is auto generated in some fashion by Splunk.

0 Karma
Reply

DEAD_BEEF
Builder
‎11-30-2017 08:36 AM

To be clear, you are trying to find the timestamp when the indexer parsed the log file?

0 Karma
Reply

plushed
New Member
‎11-30-2017 12:44 PM

The timezone the indexer assigns to the log source prior to converting to UTC (or whatever) when it stores it in the index.

0 Karma
Reply
Get Updates on the Splunk Community!

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Splunk Education Goes to Washington | Splunk GovSummit 2024

If you’re in the Washington, D.C. area, this is your opportunity to take your career and Splunk skills to the ...