Apply timezone offsets
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Contents
Apply timezone offsets
Important: If you have configured timestamp offsets using pre-Splunk 3.2 POSIX instructions, you must reconfigure them using the information on this page. If you do not do this, your timestamp information will be incorrect.
Use timezone offsets to correctly correlate events from different timezones. Configure timezone offsets for events based on host, source, or sourcetype. Configure timezone offsets in props.conf. By default, Splunk applies timezone offsets using these rules, in the following order:
1. Use the timezone in raw event data (for example, PST, -0800).
2. Use TZ if it is set in a stanza in props.conf and the event matches the host, source, or sourcetype specified by a stanza.
3. Use the timezone offset of the Splunk server that indexes the event.
Configure timezone offsets in props.conf
Use $SPLUNK_HOME/etc/system/README/props.conf.example as an example, or create your own props.conf. Make any configuration changes to a copy of props.conf in $SPLUNK_HOME/etc/system/local/, or your own custom application directory in $SPLUNK_HOME/etc/apps/. For more information on configuration files in general, see how configuration files work.
Configure timezone offsets by adding a TZ = key to a timestamp configuration stanza for a host, source, or sourcetype in props.conf. The Splunk TZ = key recognizes zoneinfo TZID's (See all the timezone TZ ID's in the zoneinfo (TZ) database). Set a TZ = value to a TZID to a desired timezone offset for any host, source, or sourcetype.
Examples
This example sets the timezone offset of events from host names that match the regular expression nyc* to the Eastern time zone.
[host::nyc*] TZ = US/Eastern
This example sets the timezone offset of events from sources in the path /mnt/ca/... to the Pacific time zone.
[source::/mnt/ca/...] TZ = US/Pacific
zoneinfo (TZ) database
The zoneinfo database is a publicly maintained database of timezone values.
- UNIX versions of Splunk rely on a TZ database included with the UNIX distribution you're installing on. Most UNIX distributions store the database in the directory:
/usr/share/zoneinfo. - Solaris versions of Splunk store TZ information in this directory:
/usr/share/lib/zoneinfo. - Windows versions of Splunk ship with a copy of the TZ database.
Refer to the zoneinfo (TZ) database for values you can set as TZ = in props.conf.
Configure timezone offsets for Splunk versions before 3.2
If you're running a version of Splunk that is older than 3.2, you must use POSIX values for the value of TZ =. See man tzset for help with POSIX formatting.
Important: Prior to version 3.2, Splunk used an external timezone utility to parse POSIX timezones. The external utility has a bug that causes it to parse POSIX TZ values as east of Greenwich Mean Time (for example PST is "-0800"). Here is the thread describing the bug.
Examples
| Timezone | pre-Splunk 3.2 | Splunk 3.2 and newer |
| US Eastern | TZ=EST-5EDT01:00:00,M3.2.0/02:00:00,M11.1.0/02:00:00 | TZ=US/Eastern
|
| US Central | TZ=CST+6CDT01:00:00,M3.2.0/02:00:00,M11.1.0/02:00:00 | TZ=US/Central
|
| US Mountain | TZ=MST-7EDT01:00:00,M3.2.0/02:00:00,M11.1.0/02:00:00 | TZ=US/Mountain
|
| US Pacific | TZ=PST-8PDT01:00:00,M3.2.0/02:00:00,M11.1.0/02:00:00 | TZ=US/Pacific
|
| US Alaska | TZ=AKST-9PDT01:00:00,M3.2.0/02:00:00,M11.1.0/02:00:00 | TZ=US/Alaska
|
| US Hawaii | TZ=HST-10HDT01:00:00,M3.2.0/02:00:00,M11.1.0/02:00:00 | TZ=US/Hawaii
|
| Western Europe - UK and Ireland | TZ=GMT+0BST01:00:00,M3.5.0/01:00:00,M10.5.0/02:00:00 | TZ=Europe/Dublin
|
| Central Europe - Netherlands and Germany | TZ=CET-1CEST01:00:00,M3.5.0/02:00:00,M10.5.0/03:00:00 | TZ=Europe/Berlin
|
| UTC | TZ=UTC
|
This documentation applies to the following versions of Splunk: 3.3 , 3.3.1 , 3.3.2 , 3.3.3 , 3.3.4 , 3.4 , 3.4.1 , 3.4.2 , 3.4.3 , 3.4.5 , 3.4.6 , 3.4.8 , 3.4.9 , 3.4.10 , 3.4.11 , 3.4.12 , 3.4.13 , 3.4.14 View the Article History for its revisions.