I have set up some alerts and I noticed that when I include 'Trigger Time' it is sent as GMT. Now I want it to be the local (Australia Eastern Standard Time). I have adjusted for iis logs by putting the iis and ms:iis:auto sourcetypes in etc\system\local\props.conf ... but since an 'Alert' is not a sourcetype and is not 'indexed' per se - how do I designate the time zone for the Alert 'Trigger Time' ? Thanks.
Yes, I have set the time preference for the user that the Alert is run as ... but I still get GMT instead of my adjusted TZ. I have tried different users and have the same thing. I am running 7.3
Hi @kmower ,
The time settings your are talking about are dependent upon the current users' preferences in the Splunk UI. Check under your user ID and preferences in the upper right of the Splunk UI. The default is to use the system (search head) time zone settings, which are probably GMT. You can change it to AEST, and then go back to your alerts and configure the scheduled times and trigger times for your AEST time settings.
OK, I am the Admin for our on prem instance ... and my time zone was set correctly in preferences... but the Alert 'Trigger Time' in the email is GMT. Is there a .conf file where I can make the change for Alerts? Other than that I can just untick 'Triggered Time' but I would prefer to have 'Trigger Time' instead of relying on the email time. Thanks again.
I'm not sure what your alert is looking at but normally the trigger time would be the same time as the last event associated with your alert. I appreciate whatever is actually set as the trigger time information might not be stored in your event but generated via backend python. eg.
Forgot to mention, it will run as the timezone of the owner of the alert. I've checked, and it definitely uses the timezone settings from the user that has ownership to display the trigger time. I validated on my instance with a dummy alert, and the trigger time changes as I changed my user timezone preferences.
Hmmm. Well, I definitely created it as the Admin user (me) and the Admin user's prefs are in GMT+10 , but the 'Trigger Time' is getting sent as GMT. I am running 7.3 ... perhaps it is a bug? Weird. I set the local time a long time ago.... the 'T-1' added on the back of the Trigger Time makes me wonder if there are other 'times' such as T-2, T-3, etc. Do you you know why that 'T-1' is appended?
Anyway, I am in GMT+10, and that is set in my user preferences. I had an Alert generated at 12:55pm my time (half an hour ago) and the 'Triggered Time' showed as 03:55:02 T-1 which is GMT ... 12:55pm - 10 hours = 3:55am