Checking the Splunk Time Zone setting – Quick tips!

By |Published On: May 27th, 2022|

Wondering why your log events look an hour, two hours, three hours off (or more!) when you run a search? Check your time zone setting. It’s common to miss this during setup, especially with Splunk Cloud, and it can cause delays in your logging based on the time difference between your actual zone and the default zone. 

Changing your time zone

From the menu at the top of the screen in the Splunk GUI, there will be an entry with your username. Click on that, and then select Preferences.

You’ll then see this screen:

This is an image caption. 

The default setting is “— Default System Time zone —”

That default means the time zone Splunk uses to display events to you will be what the search head itself is set to use. 

On Splunk Cloud, for example, I’ve seen this be US Pacific time. And if your on-prem servers are set to Pacific time because they are in California, but you are accessing them from Ohio, you’ll need to set the time zone in your user preferences to Eastern time.

The user should set this to the time zone they’re using Splunk from. In my case, I’m in US Eastern, so that’s what I set it to. That tells Splunk to adjust the timestamps it displays when I run a search so they’re relative to my time zone. This makes it easier to see when a log event came in without needing to do any mental gymnastics to adjust the time zone to your local one.

Note: This setting doesn’t change the actual content of the event on disk. It only changes how it’s displayed to you, the user. If you move to a different time zone, you can change the setting to that time zone and events will be displayed appropriately to you.

Conclusion

I recommend that everyone watch this video by Tom Scott that explains some of the problems with system time and time zones. 

Happy Splunking!

Share with your network!
Get monthly updates from Hurricane Labs
* indicates required

About Hurricane Labs

Hurricane Labs is a dynamic Managed Services Provider that unlocks the potential of Splunk and security for diverse enterprises across the United States. With a dedicated, Splunk-focused team and an emphasis on humanity and collaboration, we provide the skills, resources, and results to help make our customers’ lives easier.

For more information, visit www.hurricanelabs.com and follow us on Twitter @hurricanelabs.