We have a Splunk environment with clustered indexers and a distributed search head running on the 7.1.3 version. All servers are in Belgium time zone (CET).
As we have users across the globe, we decided to use GMT as user time zone in the preferences page. Using this setting, when we select a time range in a dashboard panel, it is showing according to CET time zone rather than GMT time zone.
For example: If we select time range as earliest=31/10/2018 00:00:00 and latest=31/10/2018 10:00:00, then the graph is showing from earliest=30/10/2018 23:00:00 and latest=31/10/2018 09:00:00.
Also, this behavior is being observed only in dashboards but not for ad-hoc searches. Could you please help me to understand this pattern? Thanks in advance.
My suggestion is to create an app and add the user-prefs.conf the stanza below. Make sure the users that is assigned to the particular role should see the GMT time zone. Maybe you should create a new role and assign all the users that should have to see the GMT time to this role and add the stanza below.
tz = GMT
Are you hardcoding that timerange in the search behind the dashboard, or are you using the timepicker? And what user is used to execute the search behind the dashboard? Is that the end user, or are the searches ran on behalf of some other user (with other timezone preference)?