Solved: How to change time zone format in dashboard panel ...

gnoriega · ‎05-26-2020

Hi,

I have a dashboard with a panel where I'm showing a table of triggered alerts:

            | table _time, ss_name, severity
            | sort - _time
            | rename ss_name AS "Alert Name", severity AS "Severity"

When a user clicks on the alert name, the dashboard populates a drill down pane.

        <drilldown>
          <condition field="Alert Name">
            <set token="show_panel">true</set>
            <set token="selected_value">"$click.value2$"</set>
            <set token="selected_value_latest">$click.value$</set>
            <eval token="selected_value_earliest">relative_time($selected_value_latest$, "-15m")</eval>
            <eval token="converted_time">strftime($selected_value_latest$, "%Y-%d-%m %H:%M")</eval>
          </condition>
          <condition>
          </condition>
        </drilldown>

and I'm using the converted_time token to show the user the time of the alarm they clicked.

    <panel>
      <table>
        <title>[Drilldown] Recent statistics for $selected_value$ at $converted_time$</title>

The issue I have is that this converted_time is showing an offset time. From what I gather it's showing the time in the local computer timezone (e.g. GMT -6 where the user is logged in from) even though the user's Splunk preference is set to GMT -5. I do not want to show the time in the user's timezone but rather in GMT -5.

If I run strftime in a search, e.g.:

 | eval converted_time= strftime(_time, "%Y-%d-%m %H:%M")
 | table _time converted_time

The converted_time column shows the time correctly matching the _time column. But when I use strftime in the dashboard:

<eval token="converted_time">strftime($selected_value_latest$, "%Y-%d-%m %H:%M")</eval>

I'm getting a different result. How can I fix this?

gnoriega · ‎05-27-2020

Found a way to solve this by doing several manipulations of the _time. When I get the value of $row._time$ it returns the time in string format with the correct timezone GMT -5. I then removed the trailing data that I didn't need.

            <eval token="strip_time">replace(replace($row._time$,"-05:00",""),"T"," ")</eval>
            <eval token="strip_time1">mvindex(split($strip_time$,":"),0)</eval>
            <eval token="strip_time2">mvindex(split($strip_time$,":"),1)</eval>
            <eval token="converted_time">$strip_time1$+":"+$strip_time2$</eval>

There's probably a better way to do this but this worked for me.

View solution in original post

gnoriega · ‎05-27-2020

Found a way to solve this by doing several manipulations of the _time. When I get the value of $row._time$ it returns the time in string format with the correct timezone GMT -5. I then removed the trailing data that I didn't need.

            <eval token="strip_time">replace(replace($row._time$,"-05:00",""),"T"," ")</eval>
            <eval token="strip_time1">mvindex(split($strip_time$,":"),0)</eval>
            <eval token="strip_time2">mvindex(split($strip_time$,":"),1)</eval>
            <eval token="converted_time">$strip_time1$+":"+$strip_time2$</eval>

There's probably a better way to do this but this worked for me.

How to change time zone format in dashboard panel to match user preference for triggered alerts?

drilldown

panel

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

Alerting Best Practices: How to Create Good Detectors

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...