Splunk® Enterprise

Getting Data In

Download manual as PDF

Splunk version 4.x reached its End of Life on October 1, 2013. Please see the migration information.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Specify time zones of timestamps

If you're indexing data from different time zones, you can use time zone offsets to ensure that they're correctly correlated when you search. You can configure time zones based on the host, source, or source type of an event.

Configure time zones in props.conf. For general information on editing props.conf for timestamps, see "Configure timestamp recognition".

How Splunk applies time zones

By default, Splunk applies time zones using these rules, in this order:

1. Splunk uses any time zone specified in raw event data (for example, PST, -0800).

2. Splunk uses the value of a TZ attribute set in props.conf, if the event matches the host, source, or source type specified by the stanza.

3. Splunk uses the time zone of the Splunk server that indexes the event.

Note: If you change the time zone setting in the system Splunk is running on, you must restart Splunk for it to pick up the change.

Specify time zones in props.conf

To configure time zone settings, edit props.conf in $SPLUNK_HOME/etc/system/local/ or in your own custom application directory in $SPLUNK_HOME/etc/apps/. For information on configuration files in general, see "About configuration files" in the Admin manual.

Configure time zones by adding a TZ attribute to the appropriate stanza in props.conf. The Splunk TZ attribute recognizes zoneinfo TZ IDs. (See all the time zone TZ IDs in the zoneinfo (TZ) database.) Inside the stanza for a host, source, or source type, set the TZ attribute to the TZ ID for the desired time zone. This should be the time zone of the events coming from that host, source, or sourcetype.

Note that the time zone of the indexer is not configured in Splunk, but in the underlying operating system. As long as the time is set correctly on the host system of the indexer, the offsets to event time zones will be calculated correctly.

Examples

Events are coming to this indexer from New York City (in the US/Eastern time zone) and Mountain View, California (US/Pacific). To correctly handle the timestamps for these two sets of events, the props.conf for the indexer needs the time zone to be specified as US/Eastern and US/Pacific respectively.

The first example sets the time zone to US/Eastern for any events coming from hosts whose names match the regex nyc.*:

[host::nyc*]
TZ = US/Eastern

The second example sets the time zone to US/Pacific for any events coming from sources in the path /mnt/ca/...:

[source::/mnt/ca/...]
TZ = US/Pacific

zoneinfo (TZ) database

The zoneinfo database is a publicly maintained database of time zone values.

  • UNIX versions of Splunk rely on a TZ database included with the UNIX distribution you're running on. Most UNIX distributions store the database in the directory: /usr/share/zoneinfo.
  • Solaris versions of Splunk store TZ information in this directory: /usr/share/lib/zoneinfo.
  • Windows versions of Splunk ship with a copy of the TZ database.

Refer to the zoneinfo (TZ) database for all permissible TZ values.

Set the time zone for a user's search results

When you add or edit users using Splunk's built-in authentication, you can set a user time zone. Search results for that user will appear in the specified time zone. This setting, however, does not change the actual event data, whose time zone is determined at index time. For information, see Set up user authentication with Splunk's built-in system.

PREVIOUS
Configure timestamp assignment for events with multiple timestamps
  NEXT
Tune timestamp recognition for better indexing performance

This documentation applies to the following versions of Splunk® Enterprise: 4.3, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7, 5.0, 5.0.1


Comments

Smmehadi: this sounds like a question for Support--we'll need to look at your log format and see what might be causing this. please file a case or visit #splunk IRC on EFNET for help!

Rachel, Splunker
September 21, 2012

We have setup splunk in our environment, and we have logs coming in from different geographies (US/UK/Asia). The logs, all have different timestamps, so we thought of converting them to same timezone (US/EST). For this we made changes in splunk forwarder (/opt/splunkforwarder/etc/apps/search/local/props.conf) to add:<br />[sourcetype::log4j]<br />TZ = US/Eastern<br />but still logs are coming with original time stamp. We also made similar changs in /opt/splunkforwarder/etc/system/local/props.conf, but that too didn't worked (we restarted forwarder after these changes).<br /><br />When we made these changes in splunk server (/opt/splunk/etc/system/local/props.conf), the time of log got changed, but it was incorrect. For example 7 sep 5 AM of london, appeared as 6 Sep 3 PM, which isn't as expected.<br />can you please help?

Smmehadi
September 6, 2012

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters