Configure client time zone in Dockerized Splunk
When you use the official Splunk Docker container the default configuration is that the UI shows time in the UTC time zone. This can be quite confusing if you are not actually in that particular time zone (or deal with daylight saving time....)
Fortunately Splunk allows you to select the time zone you want in the UI (it's in the top right corner, click "Account settings"). But if you frequently recycle the container this gets a bit tedious and it's something you'll easily forget.
As it turns out, you can set the default for all users via a configuration file that acts as a template for all users. The only thing that is needed is to create a
user-prefs.conf file in the directory
/opt/splunk/etc/system/local. (Found this solution here). The file looks like this:
[general] eai_app_only = False eai_results_per_page = 25 tz = Canada/Alberta
In this example I've configured the default UI time zone to be Alberta in Canada (UTC-06:00). You can simply set the
tz = to the time zone you need.
Putting this together in a
docker-compose.yml it will look like this:
version: "3.2" volumes: opt_splunk_etc: opt_splunk_var: services: splunk: hostname: splunkenterprise image: splunk/splunk:latest environment: SPLUNK_START_ARGS: --accept-license SPLUNK_ENABLE_LISTEN: 9997 SPLUNK_ADD: tcp 1514 volumes: - type: volume source: opt_splunk_etc target: /opt/splunk/etc - type: volume source: opt_splunk_var target: /opt/splunk/var - type: bind source: ./user-prefs.conf target: /opt/splunk/etc/system/local/user-prefs.conf read-only: true ports: - "8000:8000" - "9997:9997" - "8088:8088" - "1514:1514"
The interesting bit here is the
bind volume that maps the
user-prefs.conf file into the right location inside the container.