Solved: How to change time zone format in dashboard panel ...

gnoriega · ‎05-26-2020

Hi,

I have a dashboard with a panel where I'm showing a table of triggered alerts:

            | table _time, ss_name, severity
            | sort - _time
            | rename ss_name AS "Alert Name", severity AS "Severity"

When a user clicks on the alert name, the dashboard populates a drill down pane.

        <drilldown>
          <condition field="Alert Name">
            <set token="show_panel">true</set>
            <set token="selected_value">"$click.value2$"</set>
            <set token="selected_value_latest">$click.value$</set>
            <eval token="selected_value_earliest">relative_time($selected_value_latest$, "-15m")</eval>
            <eval token="converted_time">strftime($selected_value_latest$, "%Y-%d-%m %H:%M")</eval>
          </condition>
          <condition>
          </condition>
        </drilldown>

and I'm using the converted_time token to show the user the time of the alarm they clicked.

    <panel>
      <table>
        <title>[Drilldown] Recent statistics for $selected_value$ at $converted_time$</title>

The issue I have is that this converted_time is showing an offset time. From what I gather it's showing the time in the local computer timezone (e.g. GMT -6 where the user is logged in from) even though the user's Splunk preference is set to GMT -5. I do not want to show the time in the user's timezone but rather in GMT -5.

If I run strftime in a search, e.g.:

 | eval converted_time= strftime(_time, "%Y-%d-%m %H:%M")
 | table _time converted_time

The converted_time column shows the time correctly matching the _time column. But when I use strftime in the dashboard:

<eval token="converted_time">strftime($selected_value_latest$, "%Y-%d-%m %H:%M")</eval>

I'm getting a different result. How can I fix this?

gnoriega · ‎05-27-2020

Found a way to solve this by doing several manipulations of the _time. When I get the value of $row._time$ it returns the time in string format with the correct timezone GMT -5. I then removed the trailing data that I didn't need.

            <eval token="strip_time">replace(replace($row._time$,"-05:00",""),"T"," ")</eval>
            <eval token="strip_time1">mvindex(split($strip_time$,":"),0)</eval>
            <eval token="strip_time2">mvindex(split($strip_time$,":"),1)</eval>
            <eval token="converted_time">$strip_time1$+":"+$strip_time2$</eval>

There's probably a better way to do this but this worked for me.

View solution in original post

gnoriega · ‎05-27-2020

Found a way to solve this by doing several manipulations of the _time. When I get the value of $row._time$ it returns the time in string format with the correct timezone GMT -5. I then removed the trailing data that I didn't need.

            <eval token="strip_time">replace(replace($row._time$,"-05:00",""),"T"," ")</eval>
            <eval token="strip_time1">mvindex(split($strip_time$,":"),0)</eval>
            <eval token="strip_time2">mvindex(split($strip_time$,":"),1)</eval>
            <eval token="converted_time">$strip_time1$+":"+$strip_time2$</eval>

There's probably a better way to do this but this worked for me.

How to change time zone format in dashboard panel to match user preference for triggered alerts?

drilldown

panel

.conf24 | Day 0

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

Troubleshooting the OpenTelemetry Collector