My Dashboard setup
Challenge that I'm facing
What I'm looking for
Any pointers would be greatly appreciated. Happy to do a screen share , provide more details as needed
It is awkward, but you could teach executives (is that even possible?) to change their own TZ settings when they do this by going to
"Your User Name" ->
Edit Account ->
Time Zone and setting this to the appropriate value and Splunk will automatically normalize both the timepicker and all the results as they are presented to you.
Generally, you can correct the time of events by any amount with
your search | eval _time=_time+7200
This for example would give you +2 hours, you can also calculate that time dynamically with something like
your search | eval _time=relative_time(_time, "+2h")
This requires you to know the difference in time between the current system and the place the data was created, which means you either need to make that depend on the host/source/... (e.g. all data from sources on the east coast is adjusted to eight hours earlier or something like that) or you save the timezone as a field when the data is created and use that information to calculate the difference.