Archive

How do I change my Alert TZ?

Path Finder

I have set up some alerts and I noticed that when I include 'Trigger Time' it is sent as GMT. Now I want it to be the local (Australia Eastern Standard Time). I have adjusted for iis logs by putting the iis and ms:iis:auto sourcetypes in etc\system\local\props.conf ... but since an 'Alert' is not a sourcetype and is not 'indexed' per se - how do I designate the time zone for the Alert 'Trigger Time' ? Thanks.

Tags (1)
1 Solution

Esteemed Legend

Go to <Your Name> -> Preferences -> Time zone and set it as you like. Then be sure that the saved search runs AS THAT USER!

View solution in original post

0 Karma

Path Finder

Right. I'll jump on and lodge it now. Thanks.

0 Karma

Esteemed Legend

Go to <Your Name> -> Preferences -> Time zone and set it as you like. Then be sure that the saved search runs AS THAT USER!

View solution in original post

0 Karma

Path Finder

Yes, I have set the time preference for the user that the Alert is run as ... but I still get GMT instead of my adjusted TZ. I have tried different users and have the same thing. I am running 7.3

0 Karma

Esteemed Legend

This absolutely a bug. If you have set the search to run As owner and the owner has those settings, then you need to open a case.

0 Karma

Builder

Hi @kmower ,
The time settings your are talking about are dependent upon the current users' preferences in the Splunk UI. Check under your user ID and preferences in the upper right of the Splunk UI. The default is to use the system (search head) time zone settings, which are probably GMT. You can change it to AEST, and then go back to your alerts and configure the scheduled times and trigger times for your AEST time settings.

Path Finder

OK, I am the Admin for our on prem instance ... and my time zone was set correctly in preferences... but the Alert 'Trigger Time' in the email is GMT. Is there a .conf file where I can make the change for Alerts? Other than that I can just untick 'Triggered Time' but I would prefer to have 'Trigger Time' instead of relying on the email time. Thanks again.

0 Karma

Path Finder

Why don't you just add an eval function to your alert query and calculate the time difference into a new key or overwrite the trigger time key?

0 Karma

Path Finder

Good idea. How would I overwrite (or get a handle on) the trigger time key? Thanks.

0 Karma

Path Finder

I'm not sure what your alert is looking at but normally the trigger time would be the same time as the last event associated with your alert. I appreciate whatever is actually set as the trigger time information might not be stored in your event but generated via backend python. eg.
https://answers.splunk.com/answers/293978/how-to-change-the-alert-email-trigger-time-format.html

0 Karma

Builder

Forgot to mention, it will run as the timezone of the owner of the alert. I've checked, and it definitely uses the timezone settings from the user that has ownership to display the trigger time. I validated on my instance with a dummy alert, and the trigger time changes as I changed my user timezone preferences.

0 Karma

Path Finder

Hmmm. Well, I definitely created it as the Admin user (me) and the Admin user's prefs are in GMT+10 , but the 'Trigger Time' is getting sent as GMT. I am running 7.3 ... perhaps it is a bug? Weird. I set the local time a long time ago.... the 'T-1' added on the back of the Trigger Time makes me wonder if there are other 'times' such as T-2, T-3, etc. Do you you know why that 'T-1' is appended?

0 Karma

Builder

Can you provide a screenshot of what you're referring to? The time settings should all be relative to your preferred time zone settings.

0 Karma

Path Finder

Aww Snap ... not enough Karma for attachments 😞 happy to send wherever ...

0 Karma

Builder

joshua(dot)nudell(at)concanon(dot)com

0 Karma

Path Finder

Anyway, I am in GMT+10, and that is set in my user preferences. I had an Alert generated at 12:55pm my time (half an hour ago) and the 'Triggered Time' showed as 03:55:02 T-1 which is GMT ... 12:55pm - 10 hours = 3:55am

0 Karma

Path Finder

OK, great thanks. I will try that out.

0 Karma