i have a user in Eastern time who need to view the dashboard of two extreme location of different time zone.
if u apply time range option last 4hours it will be apply with the user current time zone but if the data from asia region it will be not the last 4 hours latest data of asia timing.
how to over come this
Hi premranjithj,
So as long as the data incoming from the various systems are configured with the timezone of their source. i.e. If a server from Asia has in its props.conf the "TZ = ..." set to its local timezone. Then Splunk will automatically convert this in its backend to UTC, then it will show the event time in the user's configured timezone that was/is set within their account preferences... No matter what timezone it is actually coming from.
If you don't tell Splunk that the data coming in is in a different timezone (non-UF data) then it will presume it is UTC. If it is via a UF agent then I believe the UF will recognise the system time of where it is installed...
Hopefully that helps you
but the user are from both location. consider if user1(ASIA timezone) view asia and europe data with timerane as last 4 hours.
will be the the last 4 hours of asia and also europe????
same vice versa if user2 in europe timezone view last 24 hours of data of asia will it be applicable to user configured timezone or the data of asia timezone?
No, it will show all data that the user(s) have access to for that time range But note that if the user is in Aisa they are roughly 6-10 hours ahead of Europe, so last 4 hours won't show that data because that would be "in the future" for Europe... I believe for the Europe user if selecting "last 4 hours", then it will show data that is current for Europe but because of timezones will be several hours old of the Asia systems...
The time for the events (if on "list" view in search), will show it in the user's configured time zone. Whereas the _raw event will show the original time no matter what is set in Splunk.
This is why most places that have international presence will just set all systems to UTC, then Splunk, Windows, etc... will convert the time to the user's configured timezone but the data coming in will be in the one timezone...