• Getting Started
  • About the getting started section
  • Installation
  • Start Splunk for the first time
  • Administration Basics
    • Add Splunk to your shell path
    • Splunk's CLI
    • Start/stop Splunk, check status
    • Help
  • Change defaults
    • Changing the admin default password
    • Changing network ports
    • Changing the default Splunk server name
    • Changing the datastore location
    • Set minimum free disk space
  • Find and index data
    • Add Data
    • Tail a file
    • Find logfiles
    • Get help configuring your sources
  • Add more users
    • User roles
    • Splunk local users
    • LDAP
  • Start searching
• How Splunk Works
  • How Splunk Works
    • About Splunk
    • Indexing
    • User interaction
    • Users and access controls
    • Distributed deployments
    • Configuration
    • SplunkBase
    • Developer APIs and integration features
    • Licensing
• Configuring a Splunk Deployment
  • Choose a Deployment Model
    • Single server
    • Distributed input
    • Distributed indexing
    • Data redundancy
    • Partitioning
    • Forwarding to non-Splunk systems
    • LDAP integration
  • Decide how Splunk should index your data
    • Create additional indexed fields
    • Tweak default processing
    • Mask sensitive data
    • Change indexing density
    • Eliminate processing steps
    • Filter and route data
  • Install Splunk on every host
  • Configure the receiving servers
    • Data policy
    • Authentication
    • Receiving
    • Segmentation
  • Configure the forwarding servers
    • Define server classes
    • Inputs
    • Processing properties
    • Data distribution
    • Data policy
    • Authentication
  • Set up the deployment server
    • Configure the deployment server
    • Set up deployment classes
• Data Inputs
  • How input configuration works
    • Data input types
    • Indexing properties
  • Configure inputs via SplunkWeb
    • Configuration
    • Files and directories
    • FIFO queues
    • Network ports
  • Configure inputs via the CLI
    • Data input commands
    • Data input types
    • Examples
  • Configure inputs via inputs.conf
    • Configuration
  • Scripted inputs
    • Configuration
    • Example
  • Add binary files
    • Configuration
    • Example
  • File whitelisting / blacklisting
    • Configuration
    • Example
    • Verification tool
• Hosts
  • How host works
    • How host is assigned
    • Host tagging
    • Configuration files for host
  • Set default host for a Splunk server
    • via SplunkWeb
    • via configuration files
  • Define host assignment for an input
    • Statically
    • Dynamically
  • Tag hosts
    • via SplunkWeb
    • Host tags vs host names
  • Extract host per event
    • Configuration
    • Example
  • Host name configuration examples
    • Setting host through inputs.conf
    • Setting host through transforms.conf and props.conf
• Source Types
  • How source types work
    • Sources and source types
    • How sourcetype:: values are set
    • Custom indexing linked to source types
    • Eliminate processing steps
    • Configuration files for source types
  • Set source type for an input
    • via SplunkWeb
    • via configuration files
  • Set a source type for a source
    • via configuration files
  • Train Splunk on a sourcetype
    • via the CLI
  • Create an alias for a source type
    • via SplunkWeb
• Timestamp Recognition
  • How Splunk recognizes timestamps
    • Timestamp precedence
    • Configuration files for timestamps
  • Configure Splunk to recognize a timestamp
    • Positional timestamp extraction
    • Specify timestamp format
    • Set time zone
    • Set Splunk to use the European date format
  • Train Splunk to recognize timestamps
    • About training
    • via the CLI
  • How to configure timezone offsets
    • Configuration
    • Posix TZ formats
    • Examples
  • Tune Timestamping
    • Turn off timestamp lookahead
• Events
  • How events work
    • Event or event type
    • How event recognition works
    • Configuration files for event boundaries
  • Large events
  • Multiline events
    • Configuration
    • Examples
  • Mask sensitive data in an event
    • Configuration
• Event Types
  • How event types work
    • Events versus event types
    • Event type classification
    • Auto-discovery
    • Create new event types
    • Event type tags
    • Configuration files for event types
  • Configure auto-discovery
    • Configuration
    • Example
  • punct::
  • Save event types via SplunkWeb
    • Configuration
    • Example
  • Configure eventtypes.conf
    • Configuration
    • Example
    • Disable event types
  • Considerations for event types in distributed environments
• Meta Events
  • How meta events work
    • Transitive meta events
    • Configuration files for meta events
  • Configure meta events
    • Configuration
    • Examples
• Fields
  • How fields work
    • Search fields vs extracted fields
    • Disable fields entirely
    • Configuration files for fields
  • Create additional search fields
    • Configuration
    • Example
  • Define additional extracted fields
    • Configuration
    • Example
  • Field actions
    • Configuration
• Segmentation
  • How segmentation works
    • Configuration files for segmentation
  • Configure segmentation
    • Inner segmentation
    • Outer segmentation
    • No segmentation
  • Enable custom segmentation
    • Configuration
    • Example
• Saved Searches and Alerts
  • How saved searches work
    • Saved searches
    • Alerting
  • Set up saved searches
    • via SplunkWeb
    • via configuration files
  • Set up Alerts
    • via SplunkWeb
    • via configuration files
    • Script options
  • Send SNMP traps
    • Configuration
  • Send syslog events
    • Configuration
    • Example
  • Considerations for saved searches and alerts in a distributed environment
• Authentication
  • How authentication works
  • SSL
    • Configuration
    • SSL for SplunkWeb
  • Set up users
  • Set up LDAP
    • Configure your Authentication Strategy via SplunkWeb
    • Configure Splunk to use your LDAP server
    • Determine your User and Group Base DN
    • Map existing LDAP groups to Splunk Roles
    • Test your LDAP configuration
    • Sample configurations
• Granular Access Control
  • How Granular Access Control works
    • Configuration files for access controls
• Data Distribution
  • How data distribution works
    • Data forwarding
    • Data routing
    • Data cloning
    • Data balancing
    • Target groups
    • Security
    • Send to 3rd party systems
    • Distributed search
    • Configuration files for data distribution
  • Enable forwarding and receiving
    • Receiving
    • Forwarding
    • Lite-weight forwarding and routing
  • Set up routing
    • Configuration
    • Examples
  • Route data to third-party systems
    • Configuration
    • Example
  • Enable cloning
  • Set up SSL
    • Forwarder
    • Receiver
  • Set up data balancing
    • Configuration
    • Example
  • Filtering and routing
    • Configuration
    • Example
  • Filter data before forwarding
  • Route specific events to an alternate index
    • Configuration
    • Example
• Distributed Search
  • How distributed search works
    • Known issues with distributed search
  • Enable distributed search via SplunkWeb
  • Enable distributed search via the CLI
    • Configuration
  • Configuration files for distributed search
  • Users in a distributed search setup
  • Exclude specific Splunk servers from distributed searches
• Deployment Server
  • How the deployment server works
    • Communication between deployment server and client
    • Configuration files for deployment server
  • Configure a Splunk Deployment Server
    • Create a deployment server
    • Configuration
    • Examples
  • Configure deployment clients
    • Enable the client and server
    • Sync the server and client
  • Configuration changes after initial deployment
  • Using Splunk with 3rd Party configuration management systems
• Index Management
  • How Index Management Works
    • Data management
    • Configuration files for index management
  • Disk usage
    • Set minimum free disk space
    • Set database size
  • Set retirement policy
    • Remove files beyond a certain size
    • Remove files beyond a certain age
  • Automate archiving
    • Use Splunk's index aging policy to archive
  • Restoring archived data
    • Restoring a copied index archive
  • Use separate partitions for Splunk's datastore
    • Set up separate partitions
  • Use WORM (Write Once Read Many) volumes for Splunk's datastore
    • Set up a WORM datastore
  • Reducing Index Density
  • Delete data from the index
    • Delete everything
    • Delete a subset of events
• Bundles
  • What are Bundles?
  • Bundle directory structure
  • Bundle precedence
  • Bundle best practice
    • Testing bundles
• SplunkBase
  • Why use SplunkBase?
  • Sharing add-ons on SplunkBase
    • Creating Add-ons
    • Best practices for making add-ons containing Splunk configuration
    • Submit your add-on
  • Finding and downloading add-ons on SplunkBase
    • Implementing add-ons from SplunkBase
  • Looking up events on SplunkBase
    • Configuration
  • Security and privacy considerations
  • Control user access to SplunkBase
• Performance Tuning
  • Indexing performance
    • Negative impact on indexing performance
    • Processors
    • eventdiscoverer.conf
    • indexes.conf
    • props.conf
    • segmenters.conf
  • Search performance
    • Tuning indexes.conf
    • Tuning props.conf
    • Make SplunkWeb search faster
  • Storage efficiency
    • Reduce index density
    • Tuning inputs.conf
    • Tuning props.conf
    • Tuning segmenters.conf
  • Network utilization
  • CPU and memory footprint
    • Improve CPU usage
    • Improve memory usage
  • Multi-CPU servers
    • indexes.conf
  • 64-bit operating systems
    • indexes.conf
  • Virtual machines
• Routine Maintenance
  • System backups
    • Backups in 3 Easy Steps
  • Monitoring Splunk
    • via SplunkWeb
• How-To
  • Make SplunkWeb search faster
    • Enable core fields only
    • Disable related
    • Disable typeahead
  • Harden a Splunk server
  • Secure network connections
  • Restore a failed server
  • Add or Remove an index
    • Create an index
    • Delete an index
  • Move an index
    • Configuration
  • Change data policy to recover space
  • Anonymize data samples
    • Simple method
    • Advanced method
  • Public server setup
  • Determine daily volume
  • Set up auto-refresh
  • Upgrade your license for more data
  • How to use Splunk 2 Nagios
    • What Nagios logs
    • Install the Splunk2Nagios integration
  • Restore a blocked license
  • Customize the built-in help module
  • Configure GUI Timeout
  • Configure the Get Started module
  • Disable SplunkWeb
    • Edit web.conf
    • Run the disable command
    • Re-enable SplunkWeb
  • Configure OPSEC LEA Input
    • Installation
    • Checkpoint Modification
    • Configuration
  • Place Splunk behind a web proxy
    • Scenario:
    • Solution:
  • Cancel Search
  • Strip syslog headers before processing
  • Reconstitute Logs
    • Export event data
    • CLI search
  • Enable HTTPS
    • configuration
• Troubleshooting
  • Splunkd is down
  • Splunk logfiles
    • Internal logs
    • debug
    • log.cfg
  • License issues
    • Cannot login
    • metrics.log
    • License violation warning
    • Advanced license troubleshooting
    • Cannot access License & Usage tab
    • I installed my license in a Preview release and now it doesn't work!
  • Unable to get a properly formatted response from the server
  • Contact Support
    • Work with Splunk Support
    • Log levels and starting in debug mode
• Reference
  • Splunk CLI
    • CLI commands
    • auth and uri parameters
    • Note for Mac users
  • Pre-trained source types
    • Automatically recognized source types
    • Pre-trained source types
  • Configuration file list
  • access_controls.conf
    • access_controls.conf.spec
  • alert_actions.conf
    • alert_actions.conf.spec
  • auth.conf
    • auth.conf.spec
  • deployment.conf
    • deployment.conf.spec
  • eventdiscoverer.conf
    • eventdiscoverer.conf.spec
  • eventtypes.conf
    • eventtypes.conf.spec contents
  • field_actions.conf
    • field_actions.conf.spec
  • indexes.conf
    • indexes.conf.spec
  • inputs.conf
    • inputs.conf.spec
  • metaevents.conf
    • metaevents.conf.spec
  • outputs.conf
    • outputs.conf.spec
  • prefs.conf
    • prefs.conf.spec
  • props.conf
    • props.conf.spec
  • savedsearches.conf
    • How to read a savedsearches.conf file
    • savedsearches.conf.spec
  • segmenters.conf
    • segmenters.conf.spec
  • server.conf
    • server.conf.spec
  • transforms.conf
    • transforms.conf.spec
  • user-seed.conf
    • user-seed.conf.spec
  • web.conf
    • web.conf.spec

How to configure timezone offsets

You can configure Splunk to set timezone offsets for your data. Use POSIX timezone settings; see man tzset for format help.

Timezones are set in the following order:
1. If the event contains a timezone specifier with a date, that is used as the timezone (e.g, 11:59 PM PST).
2. Otherwise, if the TZ attribute is set for the event's source or host, that is used as the timezone.
3. Otherwise, the timezone of the local machine is used.

Please note: Begining in March 2007, daylight time in the United States will begin on the second Sunday in March and end on the first Sunday in November. Be sure to install your OS vendor's daylight time patch to ensure that your events get logged with the correct DST timezone.

Configuration

To configure timezone offsets, create an entry in props.conf, linking your timezone to a specific host, source or sourcetype.

props.conf

Add a stanza to $SPLUNK_HOME/etc/bundles/local/props.conf:

[<spec>]
TZ = $POSIX_STRING

<spec> can be:
1. <sourcetype>, the sourcetype of an event
2. host::<host>, where <host> is the host for an event
3. source::<source>, where <source> is the source for an event

TZ is a timezone in POSIX format, such as the example below:

EST-5EDT01:00:00,M3.2.0/02:00:00,M11.1.0/02:00:00

Examples:

This example would set all events from hostnames that match the regular expression nyc.* to Eastern Time Zone.

[host::nyc*]
TZ = EST-5EDT01:00:00,M3.2.0/02:00:00,M11.1.0/02:00:00

This example maps a source pathname to a timezone.

[source::/mnt/nyc/...]
TZ = EST-5EDT01:00:00,M3.2.0/02:00:00,M11.1.0/02:00:00

Posix TZ formats

(The following text is adapted from the GNU man page )

Splunk accepts two formats for time zones.

The first format is used when there is no Daylight Saving Time (or summer time) in the local time zone:

std offset

The std string specifies the name of the time zone. It can be any alphabetical string three or more characters long, but must not contain a leading colon, embedded digits, commas, nor plus and minus signs. There is no space character separating the time zone name from the offset, so these restrictions are necessary to parse the specification correctly.

The offset specifies the time value you must add to the local time to get a Coordinated Universal Time value. It has syntax like [+|-]hh[:mm[:ss]]. This is negative if the local time zone is west of the Prime Meridian and positive if it is east. The hour must be between 0 and 23, and the minute and seconds between 0 and 59.

For example, here is how we would specify Eastern Standard Time, but without any Daylight Saving Time alternative. The std is "EST" and the offset is "-5".

EST-5

The second format is used when there is Daylight Saving Time:

std offset dst [offset],start[/time],end[/time]

The initial std and offset specify the standard time zone, as described above. The dst string and offset specify the name and offset for the corresponding Daylight Saving Time zone; if the offset is omitted, it defaults to one hour ahead of standard time.

The remainder of the specification describes when Daylight Saving Time is in effect. The start field is when Daylight Saving Time goes into effect and the end field is when the change is made back to standard time. The following formats are recognized for these fields:

• Jn

This specifies the Julian day, with n between 1 and 365. February 29 is never counted, even in leap years.

• n

This specifies the Julian day, with n between 0 and 365. February 29 is counted in leap years.

• Mm.w.d

This specifies day d of week w of month m. The day d must be between 0 (Sunday) and 6. The week w must be between 1 and 5; week 1 is the first week in which day d occurs, and week 5 specifies the last d day in the month. The month m should be between 1 and 12.

The time fields specify when, in the local time currently in effect, the change to the other time occurs. If omitted, the default is 02:00:00.

Examples

US Eastern

• Without Daylight Savings

TZ=EST-5

• With US Daylight Savings time rules

TZ=EST-5EDT01:00:00,M3.2.0/02:00:00,M11.1.0/02:00:00

US Central

• Without Daylight Savings Time

TZ=CST-6

• With US Daylight Savings Time rules

TZ=CST-6CDT01:00:00,M3.2.0/02:00:00,M11.1.0/02:00:00

US Mountain

• Without Daylight Savings Time

TZ=MST-7

• With US Daylight Savings Time rules

TZ=MST-7EDT01:00:00,M3.2.0/02:00:00,M11.1.0/02:00:00

US Pacific

• Without Daylight Savings Time

TZ=PST-8

• With US Daylight Savings Time rules

TZ=PST-8PDT01:00:00,M3.2.0/02:00:00,M11.1.0/02:00:00

US Alaska

• Without Daylight Savings Time

TZ=AKST-9

• With US Daylight Savings Time rules

TZ=AKST-9PDT01:00:00,M3.2.0/02:00:00,M11.1.0/02:00:00

US Hawaii

• Without Daylight Savings Time

TZ=HST-10

• With US Daylight Savings Time rules

TZ=HST-10HDT01:00:00,M3.2.0/02:00:00,M11.1.0/02:00:00

Western Europe - UK and Ireland

• Without Daylight Savings Time

TZ=GMT+0

• With EU Daylight Savings Time rules

TZ=GMT+0BST01:00:00,M3.5.0/01:00:00,M10.5.0/02:00:00

Central Europe - Netherlands and Germany

• Without Daylight Savings Time

TZ=CET+1

• With EU Daylight Savings Time rules

TZ=CET+1CEST01:00:00,M3.5.0/02:00:00,M10.5.0/03:00:00

Japan

• Japan does not implement Daylight Savings Time

TZ=JST+9