topic Re: How do I change my Alert TZ? in Alerting

How do I change my Alert TZ?

kmower — Wed, 26 Jun 2019 01:54:53 GMT

I have set up some alerts and I noticed that when I include 'Trigger Time' it is sent as GMT. Now I want it to be the local (Australia Eastern Standard Time). I have adjusted for iis logs by putting the iis and ms:iis:auto sourcetypes in etc\system\local\props.conf ... but since an 'Alert' is not a sourcetype and is not 'indexed' per se - how do I designate the time zone for the Alert 'Trigger Time' ? Thanks.

Re: How do I change my Alert TZ?

jnudell_2 — Wed, 26 Jun 2019 02:43:19 GMT

Hi @kmower ,
The time settings your are talking about are dependent upon the current users' preferences in the Splunk UI. Check under your user ID and preferences in the upper right of the Splunk UI. The default is to use the system (search head) time zone settings, which are probably GMT. You can change it to AEST, and then go back to your alerts and configure the scheduled times and trigger times for your AEST time settings.

Re: How do I change my Alert TZ?

kmower — Wed, 26 Jun 2019 03:06:44 GMT

OK, great thanks. I will try that out.

Re: How do I change my Alert TZ?

kmower — Wed, 26 Jun 2019 03:09:14 GMT

OK, I am the Admin for our on prem instance ... and my time zone was set correctly in preferences... but the Alert 'Trigger Time' in the email is GMT. Is there a .conf file where I can make the change for Alerts? Other than that I can just untick 'Triggered Time' but I would prefer to have 'Trigger Time' instead of relying on the email time. Thanks again.

Re: How do I change my Alert TZ?

jnudell_2 — Wed, 26 Jun 2019 03:14:53 GMT

Can you provide a screenshot of what you're referring to? The time settings should all be relative to your preferred time zone settings.

Re: How do I change my Alert TZ?

kmower — Wed, 26 Jun 2019 03:24:29 GMT

Aww Snap ... not enough Karma for attachments 😞 happy to send wherever ...

Re: How do I change my Alert TZ?

kmower — Wed, 26 Jun 2019 03:26:42 GMT

Anyway, I am in GMT+10, and that is set in my user preferences. I had an Alert generated at 12:55pm my time (half an hour ago) and the 'Triggered Time' showed as 03:55:02 T-1 which is GMT ... 12:55pm - 10 hours = 3:55am

Re: How do I change my Alert TZ?

jnudell_2 — Wed, 26 Jun 2019 03:27:05 GMT

joshua(dot)nudell(at)concanon(dot)com

Re: How do I change my Alert TZ?

jnudell_2 — Wed, 26 Jun 2019 03:53:59 GMT

Forgot to mention, it will run as the timezone of the owner of the alert. I've checked, and it definitely uses the timezone settings from the user that has ownership to display the trigger time. I validated on my instance with a dummy alert, and the trigger time changes as I changed my user timezone preferences.

Re: How do I change my Alert TZ?

kmower — Wed, 26 Jun 2019 04:07:01 GMT

Hmmm. Well, I definitely created it as the Admin user (me) and the Admin user's prefs are in GMT+10 , but the 'Trigger Time' is getting sent as GMT. I am running 7.3 ... perhaps it is a bug? Weird. I set the local time a long time ago.... the 'T-1' added on the back of the Trigger Time makes me wonder if there are other 'times' such as T-2, T-3, etc. Do you you know why that 'T-1' is appended?

Re: How do I change my Alert TZ?

dbroggy — Mon, 01 Jul 2019 21:45:21 GMT

Why don't you just add an eval function to your alert query and calculate the time difference into a new key or overwrite the trigger time key?

Re: How do I change my Alert TZ?

woodcock — Mon, 01 Jul 2019 22:13:09 GMT

Go to <Your Name> -> Preferences -> Time zone and set it as you like. Then be sure that the saved search runs AS THAT USER!

Re: How do I change my Alert TZ?

kmower — Tue, 02 Jul 2019 00:46:28 GMT

Good idea. How would I overwrite (or get a handle on) the trigger time key? Thanks.

Re: How do I change my Alert TZ?

kmower — Tue, 02 Jul 2019 00:47:28 GMT

Yes, I have set the time preference for the user that the Alert is run as ... but I still get GMT instead of my adjusted TZ. I have tried different users and have the same thing. I am running 7.3

Re: How do I change my Alert TZ?

woodcock — Tue, 02 Jul 2019 01:28:38 GMT

This absolutely a bug. If you have set the search to run As owner and the owner has those settings, then you need to open a case.

Re: How do I change my Alert TZ?

kmower — Tue, 02 Jul 2019 01:33:56 GMT

Right. I'll jump on and lodge it now. Thanks.

Re: How do I change my Alert TZ?

dbroggy — Tue, 02 Jul 2019 02:51:17 GMT

I'm not sure what your alert is looking at but normally the trigger time would be the same time as the last event associated with your alert. I appreciate whatever is actually set as the trigger time information might not be stored in your event but generated via backend python. eg.
https://answers.splunk.com/answers/293978/how-to-change-the-alert-email-trigger-time-format.html