Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

One dashboard with multiple timezones

carljohan
Path Finder
‎09-24-2014 08:10 AM

I have a dashboard with two panels.

Panel 1 displays todays events for an index with timezone UTC +4

Panel 2 displays todays events for an index with timezone UTC -4

I would like for both panels to display events 00:00 - 23:59 in the local timezone.

The problem is that my account is in UTC +4 timezone. So it does not show me only today in the UTC -4 panel but also parts of yesterday.

How do I solve it?

Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

carljohan
Path Finder
‎09-29-2014 04:11 AM

I found a solution for my problem.

Set earliest=@d+6h to accommodate for the timezone difference to start off day.
Then move the events 6 hours by adding eval _time=_time-21600.

Works like a charm for me!

Example: sourcetype=events earliest=@d+6h| eval _time=_time-21600|timechart c

View solution in original post

Reply
Solved! Jump to solution
Solution

carljohan
Path Finder
‎09-29-2014 04:11 AM

I found a solution for my problem.

Set earliest=@d+6h to accommodate for the timezone difference to start off day.
Then move the events 6 hours by adding eval _time=_time-21600.

Works like a charm for me!

Example: sourcetype=events earliest=@d+6h| eval _time=_time-21600|timechart c

Reply
Solved! Jump to solution

yannK
Splunk Employee
Splunk Employee
‎09-24-2014 08:24 AM

If your events received a the same time are not comparable because they are from different timezone, then you have misconfigured your events timestamp and timezone detection.

Internally splunk converts and store all the events in GMT, so it is always able to compare them and translate to your user/search-head local timezone.
You probably have to enforce the timezone detection when your events are indexed. By example, tell the splunk indexer that events for one source/sourcetype/host are in TZ=1 while events from another source/sourcetype/host are in TZ=2 etc..., using props.conf
Please read this guide with great caution : http://docs.splunk.com/Documentation/Splunk/6.1.3/Data/ApplyTimezoneOffsetsToTimeStamps

0 Karma
Reply
Solved! Jump to solution

carljohan
Path Finder
‎09-24-2014 08:46 AM

I think my timezones are configured correctly. A user configured with UTC-4 on his account is sees events in UTC-4 correctly. But it seems like UTC+4 events are translated to the local time of the user account.

Example:

User 1 has an account configured to UTC +4.
An event which takes place 2014-09-24 09:00 AM in UTC -4 is displayed as 4:00 PM for that user.

User 2 has an account configured to UTC -4.
An event which takes place 2014-09-24 09:00 AM in UTC -4 is displayed as 09:00 AM for that user.

0 Karma
Reply
Solved! Jump to solution

yannK
Splunk Employee
Splunk Employee
‎09-24-2014 10:34 AM

Hi Carljohan, yes this is exactly what splunk does "But it seems like UTC+4 events are translated to the local time of the user account."

so the remaining problem is that you cannot have a dashboard/user with multiple display timezones.
Are you trying to build a sort of "World clock" dashboard ?

alt text

0 Karma
Reply
Solved! Jump to solution

carljohan
Path Finder
‎09-25-2014 01:04 AM

Im trying to create a dashboard like the one below. But I want the events that happen in New York to appear in local New York time and the ones that happen in Singapore to appear in local Singapore time.
alt text

Now the New York events appear with 6 hours delay. So yesterday evenings event (in local New York time) appear to have happened today.

alt text

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...