Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I change my Alert TZ?

kmower
Communicator
‎06-25-2019 06:54 PM

I have set up some alerts and I noticed that when I include 'Trigger Time' it is sent as GMT. Now I want it to be the local (Australia Eastern Standard Time). I have adjusted for iis logs by putting the iis and ms:iis:auto sourcetypes in etc\system\local\props.conf ... but since an 'Alert' is not a sourcetype and is not 'indexed' per se - how do I designate the time zone for the Alert 'Trigger Time' ? Thanks.

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎07-01-2019 03:13 PM

Go to <Your Name> -> Preferences -> Time zone and set it as you like. Then be sure that the saved search runs AS THAT USER!

View solution in original post

Reply
Solved! Jump to solution

kmower
Communicator
‎07-01-2019 06:33 PM

Right. I'll jump on and lodge it now. Thanks.

0 Karma
Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎07-01-2019 03:13 PM

Go to <Your Name> -> Preferences -> Time zone and set it as you like. Then be sure that the saved search runs AS THAT USER!

Reply
Solved! Jump to solution

kmower
Communicator
‎07-01-2019 05:47 PM

Yes, I have set the time preference for the user that the Alert is run as ... but I still get GMT instead of my adjusted TZ. I have tried different users and have the same thing. I am running 7.3

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎07-01-2019 06:28 PM

This absolutely a bug. If you have set the search to run As owner and the owner has those settings, then you need to open a case.

0 Karma
Reply
Solved! Jump to solution

jnudell_2
Builder
‎06-25-2019 07:43 PM

Hi @kmower ,
The time settings your are talking about are dependent upon the current users' preferences in the Splunk UI. Check under your user ID and preferences in the upper right of the Splunk UI. The default is to use the system (search head) time zone settings, which are probably GMT. You can change it to AEST, and then go back to your alerts and configure the scheduled times and trigger times for your AEST time settings.

Reply
Solved! Jump to solution

kmower
Communicator
‎06-25-2019 08:09 PM

OK, I am the Admin for our on prem instance ... and my time zone was set correctly in preferences... but the Alert 'Trigger Time' in the email is GMT. Is there a .conf file where I can make the change for Alerts? Other than that I can just untick 'Triggered Time' but I would prefer to have 'Trigger Time' instead of relying on the email time. Thanks again.

0 Karma
Reply
Solved! Jump to solution

dbroggy
Path Finder
‎07-01-2019 02:45 PM

Why don't you just add an eval function to your alert query and calculate the time difference into a new key or overwrite the trigger time key?

0 Karma
Reply
Solved! Jump to solution

kmower
Communicator
‎07-01-2019 05:46 PM

Good idea. How would I overwrite (or get a handle on) the trigger time key? Thanks.

0 Karma
Reply
Solved! Jump to solution

dbroggy
Path Finder
‎07-01-2019 07:51 PM

I'm not sure what your alert is looking at but normally the trigger time would be the same time as the last event associated with your alert. I appreciate whatever is actually set as the trigger time information might not be stored in your event but generated via backend python. eg.
https://answers.splunk.com/answers/293978/how-to-change-the-alert-email-trigger-time-format.html

0 Karma
Reply
Solved! Jump to solution

jnudell_2
Builder
‎06-25-2019 08:53 PM

Forgot to mention, it will run as the timezone of the owner of the alert. I've checked, and it definitely uses the timezone settings from the user that has ownership to display the trigger time. I validated on my instance with a dummy alert, and the trigger time changes as I changed my user timezone preferences.

0 Karma
Reply
Solved! Jump to solution

kmower
Communicator
‎06-25-2019 09:07 PM

Hmmm. Well, I definitely created it as the Admin user (me) and the Admin user's prefs are in GMT+10 , but the 'Trigger Time' is getting sent as GMT. I am running 7.3 ... perhaps it is a bug? Weird. I set the local time a long time ago.... the 'T-1' added on the back of the Trigger Time makes me wonder if there are other 'times' such as T-2, T-3, etc. Do you you know why that 'T-1' is appended?

0 Karma
Reply
Solved! Jump to solution

jnudell_2
Builder
‎06-25-2019 08:14 PM

Can you provide a screenshot of what you're referring to? The time settings should all be relative to your preferred time zone settings.

0 Karma
Reply
Solved! Jump to solution

kmower
Communicator
‎06-25-2019 08:24 PM

Aww Snap ... not enough Karma for attachments 😞 happy to send wherever ...

0 Karma
Reply
Solved! Jump to solution

jnudell_2
Builder
‎06-25-2019 08:27 PM

joshua(dot)nudell(at)concanon(dot)com

0 Karma
Reply
Solved! Jump to solution

kmower
Communicator
‎06-25-2019 08:26 PM

Anyway, I am in GMT+10, and that is set in my user preferences. I had an Alert generated at 12:55pm my time (half an hour ago) and the 'Triggered Time' showed as 03:55:02 T-1 which is GMT ... 12:55pm - 10 hours = 3:55am

0 Karma
Reply
Solved! Jump to solution

kmower
Communicator
‎06-25-2019 08:06 PM

OK, great thanks. I will try that out.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

&#x1f342; Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...