I have a Splunk App which contains various Dashboards with several panels.
This Dashboard historically worked identically for all users, now recently depending on who runs the Dashboard the results seem to vary.
I'll use 3 different users as examples. User1 will run a Dashboard and get good results as expected, user2 and user3 receive no results found. I don't believe this is a permission issue as user3 is an admin, the other two are "users" with permissions to this app and dashboard. All 3 users have access to the relevant indexes and app.
In another example, the panel returns a Column chart, again here user1 gets good results, the other two users get data returned but the column for March is missing from the results. I've added screenshots for a graphical view.
$SPLUNK_HOME/etc/users///... to see if there are any differences in dashboard versions. I don't find any differences between accounts and wasn't able to locate any xml's to compare.
The deployment is on prem no cluster
Would appreciate any assistance or input for this issue
do any error messages appear for the two users with inconsistent views? Most of the time a small yellow or red triangle is seen in the upper right corner of the panel if the search behind the panel has any problems.
Could for example be a problem with one indexer, so only the data of one indexer is shown. But i can not know exactly, cause i do not know how much indexers you have.
Also make sure the users do not have any personal copies of the dashboards in the users local folder, as you already mentioned. the dashboards xml file should be located in the apps default or local folder, where local has preference over default. But if a user got a version of the xml in the user/app/local folder, this would overwrite the one in the app.
Double check if all extracted fields, lookups and other knowledge objects used in the search have the same permissions for all users.
As is the case with problems like this, the day after deciding to post a question and ask for assistance, the answer comes to you.
It turns out the issue was related to the timezones set in the user profiles. I noticed that the one user who was getting good results had the "default timezone" set in his account.
All other users had the timezone set to the Central Timezone. I updated the timezones to default and everyone is now getting good results.
Not sure if this is a bug or if I need to look into the defined sources and how the timestamps are being handled during Indexing?
Thanks for the response Tom, I think I'm good now just need to dig into the data a bit more.