Dashboards & Visualizations

How to change time zone format in dashboard panel to match user preference for triggered alerts?

gnoriega
Explorer

Hi,

I have a dashboard with a panel where I'm showing a table of triggered alerts:

            | table _time, ss_name, severity
            | sort - _time
            | rename ss_name AS "Alert Name", severity AS "Severity"

When a user clicks on the alert name, the dashboard populates a drill down pane.

        <drilldown>
          <condition field="Alert Name">
            <set token="show_panel">true</set>
            <set token="selected_value">"$click.value2$"</set>
            <set token="selected_value_latest">$click.value$</set>
            <eval token="selected_value_earliest">relative_time($selected_value_latest$, "-15m")</eval>
            <eval token="converted_time">strftime($selected_value_latest$, "%Y-%d-%m %H:%M")</eval>
          </condition>
          <condition>
          </condition>
        </drilldown>

and I'm using the converted_time token to show the user the time of the alarm they clicked.

    <panel>
      <table>
        <title>[Drilldown] Recent statistics for $selected_value$ at $converted_time$</title>

The issue I have is that this converted_time is showing an offset time. From what I gather it's showing the time in the local computer timezone (e.g. GMT -6 where the user is logged in from) even though the user's Splunk preference is set to GMT -5. I do not want to show the time in the user's timezone but rather in GMT -5.

If I run strftime in a search, e.g.:

 | eval converted_time= strftime(_time, "%Y-%d-%m %H:%M")
 | table _time converted_time

The converted_time column shows the time correctly matching the _time column. But when I use strftime in the dashboard:

<eval token="converted_time">strftime($selected_value_latest$, "%Y-%d-%m %H:%M")</eval>

I'm getting a different result. How can I fix this?

alt text

Labels (2)
0 Karma
1 Solution

gnoriega
Explorer

Found a way to solve this by doing several manipulations of the _time. When I get the value of $row._time$ it returns the time in string format with the correct timezone GMT -5. I then removed the trailing data that I didn't need.

            <eval token="strip_time">replace(replace($row._time$,"-05:00",""),"T"," ")</eval>
            <eval token="strip_time1">mvindex(split($strip_time$,":"),0)</eval>
            <eval token="strip_time2">mvindex(split($strip_time$,":"),1)</eval>
            <eval token="converted_time">$strip_time1$+":"+$strip_time2$</eval>

There's probably a better way to do this but this worked for me.

View solution in original post

0 Karma

gnoriega
Explorer

Found a way to solve this by doing several manipulations of the _time. When I get the value of $row._time$ it returns the time in string format with the correct timezone GMT -5. I then removed the trailing data that I didn't need.

            <eval token="strip_time">replace(replace($row._time$,"-05:00",""),"T"," ")</eval>
            <eval token="strip_time1">mvindex(split($strip_time$,":"),0)</eval>
            <eval token="strip_time2">mvindex(split($strip_time$,":"),1)</eval>
            <eval token="converted_time">$strip_time1$+":"+$strip_time2$</eval>

There's probably a better way to do this but this worked for me.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...