date_zone field

I am trying to make sure my timezones for devices logging to splunk are correct. I have noticed as part of the date extractions that there is a field called date_zone. the values for all my devices are 'local'. what is this field extracting and should it reference GMT or UTC if that timezone indicator is in the timestamp on the syslog message?

asked 28 Jun '11, 13:06

EricPartington
394●3●2●28
accept rate: 50%

One Answer:

oldest newest most voted

This Splunk-internal index-time field will take one of two values :

A time zone offset in minutes from UTC. This will only be available if 1) Splunk has found a time zone offset or name in the event rawdata or 2) a TZ setting is specified for the data in scope in props.conf
The string "local" which indicates that Splunk found no information regarding the time zone of the event and attributed to it the time zone of the instance where event parsing occurred (usually, the indexer).

link

answered 30 Mar '12, 22:11

hexx ♦
13.6k●9●15●68
accept rate: 56%

edited 06 Apr '12, 10:13

Post your answer

toggle preview

Follow this question

Email:

RSS:

Answers

Answers + Comments

Markdown Basics

*italic* or _italic_
**bold** or __bold__
link:[text](http://url.com/ "Title")
image?![alt text](/path/img.jpg "Title")
numbered list: 1. Foo 2. Bar
to add a line break simply add two spaces to where you would like the new line to be.
basic HTML tags are also supported

learn more about Markdown

Tags:

search ×1,651
timestamp ×265
timezones ×61

Asked: 28 Jun '11, 13:06

Seen: 1,182 times

Last updated: 06 Apr '12, 10:13

date_zone field

Follow this question

Splunk Resources

Related questions