Topics

| pdf version

Welcome

What to do first

Start Splunk

Meet Splunk Web and Splunk Apps

Before you configure

Add data and configure inputs

Indexing and event processing

Timestamps

Add and manage users

Manage indexes

Define alerts

Set up backups and retention policies

Configure data security

Set up forwarding and receiving

Deploy to other Splunk instances

Set up distributed search

Manage search jobs

Use Splunk's command line interface (CLI)

Configuration file reference

Troubleshooting


Toolbox

Splunk > The IT Search Company

  • Search and navigate IT data from applications, servers and network devices in real-time.
  • Download Splunk

Localized Splunk documentation

Looking for Splunk documentation in other languages?

Documentation | Discussion | View source | History

Apply timezone offsets to timestamps

This documentation applies to the following versions of Splunk: 4.0 , 4.0.1 , 4.0.2 , 4.0.3 , 4.0.4 , 4.0.5 , 4.0.6 , 4.0.7 , 4.0.8 , 4.0.9 , 4.0.10

Apply timezone offsets to timestamps

If you're indexing data from different timezones, use timezone offsets to ensure that they're correctly correlated when you search. You can configure timezone offsets based on the host, source, or sourcetype of an event.

Configure timezone offsets in props.conf. By default, Splunk applies timezone offsets using these rules, in the following order:

1. Use the time zone in raw event data (for example, PST, -0800).

2. Use TZ if it is set in a stanza in props.conf and the event matches the host, source, or sourcetype specified by a stanza.

3. Use the time zone of the Splunk server that indexes the event.

Configure time zone offsets in props.conf

Use $SPLUNK_HOME/etc/system/README/props.conf.example as an example, or create your own props.conf. Make any configuration changes to a copy of props.conf in $SPLUNK_HOME/etc/system/local/, or your own custom application directory in $SPLUNK_HOME/etc/apps/.

Configure time zones by adding a TZ = key to a timestamp configuration stanza for a host, source, or sourcetype in props.conf. The Splunk TZ = key recognizes zoneinfo TZID's (See all the timezone TZ ID's in the zoneinfo (TZ) database). Set a TZ = value to a TZID of the appropriate time zone for any host, source, or sourcetype. The TZ for a host, source, or sourcetype should be set to the time zone of the events coming from that host, source, or sourcetype.

Note that the time zone of the indexer is not configured in Splunk. As long as the time (and consequently time zone) is set correctly on the host OS of the indexer, offsets to event time zones will be calculated correctly.

Examples

Events are coming to an indexer from New York City (in the US/Eastern timezone) and Mountain View, California (US/Pacific). To correctly handle the timestamps for these two sets of events, the props.conf for the indexer needs the timezone offset to be specified as US/Eastern and US/Pacific respectively.

The first example sets the timezone offset of events from host names that match the regular expression nyc.* with the US/Eastern time zone. 

[host::nyc*]
TZ = US/Eastern

The second example sets the timezone offset of events from sources in the path /mnt/ca/... with the US/Pacific time zone. 

[source::/mnt/ca/...]
TZ = US/Pacific

zoneinfo (TZ) database

The zoneinfo database is a publicly maintained database of timezone values.

  • UNIX versions of Splunk rely on a TZ database included with the UNIX distribution you're installing on. Most UNIX distributions store the database in the directory: /usr/share/zoneinfo.
  • Solaris versions of Splunk store TZ information in this directory: /usr/share/lib/zoneinfo.
  • Windows versions of Splunk ship with a copy of the TZ database.

Refer to the zoneinfo (TZ) database for values you can set as TZ = in props.conf.

Retrieved from "http://www.splunk.com/base/Documentation/4.0.4/Admin/Applytimezoneoffsetstotimestamps"
Revision: 207 Contact Privacy Policy Terms of Use Community content licensed under Creative Commons

Copyright © 2005-2010 Splunk Inc. All rights reserved.