Dashboards & Visualizations

One dashboard with multiple timezones

Path Finder

I have a dashboard with two panels.

Panel 1 displays todays events for an index with timezone UTC +4

Panel 2 displays todays events for an index with timezone UTC -4

I would like for both panels to display events 00:00 - 23:59 in the local timezone.

The problem is that my account is in UTC +4 timezone. So it does not show me only today in the UTC -4 panel but also parts of yesterday.

How do I solve it?

Tags (2)
1 Solution

Path Finder

I found a solution for my problem.

Set earliest=@d+6h to accommodate for the timezone difference to start off day.
Then move the events 6 hours by adding eval _time=_time-21600.

Works like a charm for me!

Example: sourcetype=events earliest=@d+6h| eval _time=_time-21600|timechart c

View solution in original post

Path Finder

I found a solution for my problem.

Set earliest=@d+6h to accommodate for the timezone difference to start off day.
Then move the events 6 hours by adding eval _time=_time-21600.

Works like a charm for me!

Example: sourcetype=events earliest=@d+6h| eval _time=_time-21600|timechart c

View solution in original post

Splunk Employee
Splunk Employee

If your events received a the same time are not comparable because they are from different timezone, then you have misconfigured your events timestamp and timezone detection.

Internally splunk converts and store all the events in GMT, so it is always able to compare them and translate to your user/search-head local timezone.
You probably have to enforce the timezone detection when your events are indexed. By example, tell the splunk indexer that events for one source/sourcetype/host are in TZ=1 while events from another source/sourcetype/host are in TZ=2 etc..., using props.conf
Please read this guide with great caution : http://docs.splunk.com/Documentation/Splunk/6.1.3/Data/ApplyTimezoneOffsetsToTimeStamps

0 Karma

Path Finder

I think my timezones are configured correctly. A user configured with UTC-4 on his account is sees events in UTC-4 correctly. But it seems like UTC+4 events are translated to the local time of the user account.

Example:

User 1 has an account configured to UTC +4.
An event which takes place 2014-09-24 09:00 AM in UTC -4 is displayed as 4:00 PM for that user.

User 2 has an account configured to UTC -4.
An event which takes place 2014-09-24 09:00 AM in UTC -4 is displayed as 09:00 AM for that user.

0 Karma

Splunk Employee
Splunk Employee

Hi Carljohan, yes this is exactly what splunk does "But it seems like UTC+4 events are translated to the local time of the user account."

so the remaining problem is that you cannot have a dashboard/user with multiple display timezones.
Are you trying to build a sort of "World clock" dashboard ?

alt text

0 Karma

Path Finder

Im trying to create a dashboard like the one below. But I want the events that happen in New York to appear in local New York time and the ones that happen in Singapore to appear in local Singapore time.
alt text

Now the New York events appear with 6 hours delay. So yesterday evenings event (in local New York time) appear to have happened today.

alt text

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!