When you use the official Splunk Docker container the default configuration is that the UI shows time in the UTC time zone. This can be quite confusing if you are not actually in that particular time zone (or deal with daylight saving time....)

Fortunately Splunk allows you to select the time zone you want in the UI (it's in the top right corner, click "Account settings"). But if you frequently recycle the container this gets a bit tedious and it's something you'll easily forget.

As it turns out, you can set the default for all users via a configuration file that acts as a template for all users. The only thing that is needed is to create a user-prefs.conf file in the directory /opt/splunk/etc/system/local. (Found this solution here). The file looks like this:

[general]
eai_app_only = False
eai_results_per_page = 25
tz = Canada/Alberta

In this example I've configured the default UI time zone to be Alberta in Canada (UTC-06:00). You can simply set the tz = to the time zone you need.

Putting this together in a docker-compose.yml it will look like this:

version: "3.2"

volumes:
  opt_splunk_etc:
  opt_splunk_var:

services: 
  splunk:
    hostname: splunkenterprise
    image: splunk/splunk:latest
    environment:
      SPLUNK_START_ARGS: --accept-license
      SPLUNK_ENABLE_LISTEN: 9997
      SPLUNK_ADD: tcp 1514
    volumes:
      - type: volume
        source: opt_splunk_etc
        target: /opt/splunk/etc
      - type: volume
        source: opt_splunk_var
        target: /opt/splunk/var
      - type: bind
        source: ./user-prefs.conf
        target: /opt/splunk/etc/system/local/user-prefs.conf
        read-only: true
    ports:
      - "8000:8000"
      - "9997:9997"
      - "8088:8088"
      - "1514:1514"

The interesting bit here is the bind volume that maps the user-prefs.conf file into the right location inside the container.

Easy as.