Specify timezones of timestamps
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Specify timezones of timestamps
If you're indexing data from different timezones, use timezone offsets to ensure that they're correctly correlated when you search. You can configure timezones based on the host, source, or source type of an event.
Configure timezones in props.conf. By default, Splunk applies timezones using these rules, in the following order:
1. Use the timezone in raw event data (for example, PST, -0800).
2. Use TZ if it is set in a stanza in props.conf and the event matches the host, source, or source type specified by a stanza.
3. Use the timezone of the Splunk server that indexes the event.
Specify time zones in props.conf
Use $SPLUNK_HOME/etc/system/README/props.conf.example as an example, or create your own props.conf. Make any configuration changes to a copy of props.conf in $SPLUNK_HOME/etc/system/local/, or your own custom application directory in $SPLUNK_HOME/etc/apps/.
Configure time zones by adding a TZ = key to a timestamp configuration stanza for a host, source, or sourcetype in props.conf. The Splunk TZ = key recognizes zoneinfo TZID's (See all the timezone TZ ID's in the zoneinfo (TZ) database). Set a TZ = value to a TZID of the appropriate timezone for any host, source, or source type. The TZ for a host, source, or source type should be set to the timezone of the events coming from that host, source, or sourcetype.
Note that the timezone of the indexer is not configured in Splunk. As long as the time is set correctly on the host OS of the indexer, offsets to event timezones will be calculated correctly.
Examples
Events are coming to this indexer from New York City (in the US/Eastern timezone) and Mountain View, California (US/Pacific). To correctly handle the timestamps for these two sets of events, the props.conf for the indexer needs the timezone to be specified as US/Eastern and US/Pacific respectively.
The first example sets the timezone of events from host names that match the regular expression nyc.* with the US/Eastern timezone.
[host::nyc*] TZ = US/Eastern
The second example sets the timezone of events from sources in the path /mnt/ca/... with the US/Pacific timezone.
[source::/mnt/ca/...] TZ = US/Pacific
zoneinfo (TZ) database
The zoneinfo database is a publicly maintained database of timezone values.
- UNIX versions of Splunk rely on a TZ database included with the UNIX distribution you're installing on. Most UNIX distributions store the database in the directory:
/usr/share/zoneinfo. - Solaris versions of Splunk store TZ information in this directory:
/usr/share/lib/zoneinfo. - Windows versions of Splunk ship with a copy of the TZ database.
Refer to the zoneinfo (TZ) database for values you can set as TZ = in props.conf.
This documentation applies to the following versions of Splunk: 4.1 , 4.1.1 , 4.1.2 , 4.1.3 , 4.1.4 , 4.1.5 , 4.1.6 , 4.1.7 , 4.1.8 View the Article History for its revisions.
Comments
How about converting from UTC?
Does splunk need to be restarted after you add a props.conf file?
On the indexer (or whereever your data is parsed), set the following in props.conf:
[host::utchostname]
TZ = GMT
Once you restart the indexer or the heavy forwarder, your events will come in with the proper offset.