Solved: Daylight savings vs scheduled search fun.

Lucas_K · ‎10-07-2012

So its just gone to daylight savings in my time zone (AEDT - Australian Eastern daylight time GMT + 11)

So bug #1. This timezone doesn't exist inside splunk (4.3.4 still!) but that is besides the point.

So i've manually changed my time zone to GMT +11 (sol.islands/new cal) (I'm in Melbourne australia!) for the admin user.

My problem is now all the scheduled searches show UTC time. Prior to doing this they were all correctly displayed localised EST times (GMT +10) just running 1 hour late.

Does anyone know how I can have my admin/robot/scheduled job account with correct TZ defined in my user-prefs.conf AND get the searches and reports page to correctly reflect this?

Lucas_K · ‎10-07-2012

Ok the solution is not to use splunk tz setting at all and change the tz in the splunk user on the OS itself.

ie. .bash_profile
TZ=Australia/Melbourne
export PATH TZ

An issue remains that users can't set their own timezones that will honor daylight savings (if they differ to the tz that the splunk user runs under).

View solution in original post

Lucas_K · ‎10-07-2012

Ok the solution is not to use splunk tz setting at all and change the tz in the splunk user on the OS itself.

ie. .bash_profile
TZ=Australia/Melbourne
export PATH TZ

An issue remains that users can't set their own timezones that will honor daylight savings (if they differ to the tz that the splunk user runs under).

Daylight savings vs scheduled search fun.

Introducing the Splunk Community Dashboard Challenge!

Get the T-shirt to Prove You Survived Splunk University Bootcamp

Wondering How to Build Resiliency in the Cloud?