Dashboards & Visualizations

One dashboard with multiple timezones

carljohan
Path Finder

I have a dashboard with two panels.

Panel 1 displays todays events for an index with timezone UTC +4

Panel 2 displays todays events for an index with timezone UTC -4

I would like for both panels to display events 00:00 - 23:59 in the local timezone.

The problem is that my account is in UTC +4 timezone. So it does not show me only today in the UTC -4 panel but also parts of yesterday.

How do I solve it?

Tags (2)
1 Solution

carljohan
Path Finder

I found a solution for my problem.

Set earliest=@d+6h to accommodate for the timezone difference to start off day.
Then move the events 6 hours by adding eval _time=_time-21600.

Works like a charm for me!

Example: sourcetype=events earliest=@d+6h| eval _time=_time-21600|timechart c

View solution in original post

carljohan
Path Finder

I found a solution for my problem.

Set earliest=@d+6h to accommodate for the timezone difference to start off day.
Then move the events 6 hours by adding eval _time=_time-21600.

Works like a charm for me!

Example: sourcetype=events earliest=@d+6h| eval _time=_time-21600|timechart c

yannK
Splunk Employee
Splunk Employee

If your events received a the same time are not comparable because they are from different timezone, then you have misconfigured your events timestamp and timezone detection.

Internally splunk converts and store all the events in GMT, so it is always able to compare them and translate to your user/search-head local timezone.
You probably have to enforce the timezone detection when your events are indexed. By example, tell the splunk indexer that events for one source/sourcetype/host are in TZ=1 while events from another source/sourcetype/host are in TZ=2 etc..., using props.conf
Please read this guide with great caution : http://docs.splunk.com/Documentation/Splunk/6.1.3/Data/ApplyTimezoneOffsetsToTimeStamps

0 Karma

carljohan
Path Finder

I think my timezones are configured correctly. A user configured with UTC-4 on his account is sees events in UTC-4 correctly. But it seems like UTC+4 events are translated to the local time of the user account.

Example:

User 1 has an account configured to UTC +4.
An event which takes place 2014-09-24 09:00 AM in UTC -4 is displayed as 4:00 PM for that user.

User 2 has an account configured to UTC -4.
An event which takes place 2014-09-24 09:00 AM in UTC -4 is displayed as 09:00 AM for that user.

0 Karma

yannK
Splunk Employee
Splunk Employee

Hi Carljohan, yes this is exactly what splunk does "But it seems like UTC+4 events are translated to the local time of the user account."

so the remaining problem is that you cannot have a dashboard/user with multiple display timezones.
Are you trying to build a sort of "World clock" dashboard ?

alt text

0 Karma

carljohan
Path Finder

Im trying to create a dashboard like the one below. But I want the events that happen in New York to appear in local New York time and the ones that happen in Singapore to appear in local Singapore time.
alt text

Now the New York events appear with 6 hours delay. So yesterday evenings event (in local New York time) appear to have happened today.

alt text

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...