Solved: Re: How to change time zone format in dashboard pa...

gnoriega · ‎05-26-2020

Hi,

I have a dashboard with a panel where I'm showing a table of triggered alerts:

            | table _time, ss_name, severity
            | sort - _time
            | rename ss_name AS "Alert Name", severity AS "Severity"

When a user clicks on the alert name, the dashboard populates a drill down pane.

        <drilldown>
          <condition field="Alert Name">
            <set token="show_panel">true</set>
            <set token="selected_value">"$click.value2$"</set>
            <set token="selected_value_latest">$click.value$</set>
            <eval token="selected_value_earliest">relative_time($selected_value_latest$, "-15m")</eval>
            <eval token="converted_time">strftime($selected_value_latest$, "%Y-%d-%m %H:%M")</eval>
          </condition>
          <condition>
          </condition>
        </drilldown>

and I'm using the converted_time token to show the user the time of the alarm they clicked.

    <panel>
      <table>
        <title>[Drilldown] Recent statistics for $selected_value$ at $converted_time$</title>

The issue I have is that this converted_time is showing an offset time. From what I gather it's showing the time in the local computer timezone (e.g. GMT -6 where the user is logged in from) even though the user's Splunk preference is set to GMT -5. I do not want to show the time in the user's timezone but rather in GMT -5.

If I run strftime in a search, e.g.:

 | eval converted_time= strftime(_time, "%Y-%d-%m %H:%M")
 | table _time converted_time

The converted_time column shows the time correctly matching the _time column. But when I use strftime in the dashboard:

<eval token="converted_time">strftime($selected_value_latest$, "%Y-%d-%m %H:%M")</eval>

I'm getting a different result. How can I fix this?

gnoriega · ‎05-27-2020

Found a way to solve this by doing several manipulations of the _time. When I get the value of $row._time$ it returns the time in string format with the correct timezone GMT -5. I then removed the trailing data that I didn't need.

            <eval token="strip_time">replace(replace($row._time$,"-05:00",""),"T"," ")</eval>
            <eval token="strip_time1">mvindex(split($strip_time$,":"),0)</eval>
            <eval token="strip_time2">mvindex(split($strip_time$,":"),1)</eval>
            <eval token="converted_time">$strip_time1$+":"+$strip_time2$</eval>

There's probably a better way to do this but this worked for me.

View solution in original post

gnoriega · ‎05-27-2020

Found a way to solve this by doing several manipulations of the _time. When I get the value of $row._time$ it returns the time in string format with the correct timezone GMT -5. I then removed the trailing data that I didn't need.

            <eval token="strip_time">replace(replace($row._time$,"-05:00",""),"T"," ")</eval>
            <eval token="strip_time1">mvindex(split($strip_time$,":"),0)</eval>
            <eval token="strip_time2">mvindex(split($strip_time$,":"),1)</eval>
            <eval token="converted_time">$strip_time1$+":"+$strip_time2$</eval>

There's probably a better way to do this but this worked for me.

How to change time zone format in dashboard panel to match user preference for triggered alerts?

drilldown

panel

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

May 2026 Splunk Expert Sessions: Security & Observability

Join the Conversation