Dashboards & Visualizations

Splunk Interface based on Roles

Path Finder

Business Setup

  1. Organization Acme has multiple offices in different timezones
  2. Each office has manager. When Manager logs in dashboard, he sees his office data
  3. Executive management, who is Headquartered in PST timezone, when logs in needs to see performance of all the offices

My Dashboard setup

  1. I've a dashboard where a logged in user (that office specific manager or executive) can pick ONLY one office from the drop down
  2. The dashboard has date prompt (pick ONE date) and from_hour - to_hour prompts
  3. I also have executive dashboard where the objective is to show multiple offices (and associated KPIs) on same dashboard

Challenge that I'm facing

  1. When executive logs in and goes to non-executive dashboard, she could pick an office that is from East coast. Given that this user's role has associated timezone of PST, she now has to do mental calculation to pick correct time window from hour prompts. Otherwise she may not get complete data set/results
  2. When executive logs in and goes to executive dashboard, he will see various offices and KPIs, but again, he needs to do the mental math to make sure that he is choosing the correct time window (from and to hours) to encompass offices of East coast to West coast (different time zones....his timezone is PST)

What I'm looking for

  1. Is there a way in Splunk so that from and to hour prompts show (or not) depending on whether it is executive role or not
  2. Is there a better way /method of addressing this particular user experience need when the enterprise is truly global

Any pointers would be greatly appreciated. Happy to do a screen share , provide more details as needed

best, ronak

0 Karma

Esteemed Legend

It is awkward, but you could teach executives (is that even possible?) to change their own TZ settings when they do this by going to "Your User Name" -> Edit Account -> Time Zone and setting this to the appropriate value and Splunk will automatically normalize both the timepicker and all the results as they are presented to you.


Generally, you can correct the time of events by any amount with

your search | eval _time=_time+7200

This for example would give you +2 hours, you can also calculate that time dynamically with something like

your search | eval _time=relative_time(_time, "+2h")

This requires you to know the difference in time between the current system and the place the data was created, which means you either need to make that depend on the host/source/... (e.g. all data from sources on the east coast is adjusted to eight hours earlier or something like that) or you save the timezone as a field when the data is created and use that information to calculate the difference.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 2 releases of new security content via the ...

Announcing the 1st Round Champion’s Tribute Winners of the Great Resilience Quest

We are happy to announce the 20 lucky questers who are selected to be the first round of Champion's Tribute ...

We’ve Got Education Validation!

Are you feeling it? All the career-boosting benefits of up-skilling with Splunk? It’s not just a feeling, it's ...