I scheduled a search to run at 0 2,8,14,20 * * *
The timezone of the search head is UTC. Therefore I expect the next run tiem to be 2am UTC, yet Splunk says the next run time would be 6am UTC.
How could this be? And where is this configured?
I suspect there is a setting somewhere which is making the cron expressions be interpreted in US Eastern Time. Since we are observing Daylight Savings Time, Eastern Daylight Time would be UTC-4.
The documentation (Use cron expressions for alert scheduling - Splunk Documentation) says "The Splunk cron analyzer defaults to the timezone where the search head is configured. This can be verified or changed by going to Settings > Searches, reports, and alerts > Scheduled time."
I find no "Scheduled Time" under Settings > Search, reports and alerts.
I did post this to the feedback on that documentation page in case it is actually inaccurate.
Where can I check and verify?
Thanks!
@justinhaynes - As per my understanding.
Please kindly check if you have set the alert then your configured timezone is what you are observing (EDT).
I hope this helps!!!