Dashboards & Visualizations

Splunk Interface based on Roles

ronak
Path Finder

Business Setup

  1. Organization Acme has multiple offices in different timezones
  2. Each office has manager. When Manager logs in dashboard, he sees his office data
  3. Executive management, who is Headquartered in PST timezone, when logs in needs to see performance of all the offices

My Dashboard setup

  1. I've a dashboard where a logged in user (that office specific manager or executive) can pick ONLY one office from the drop down
  2. The dashboard has date prompt (pick ONE date) and from_hour - to_hour prompts
  3. I also have executive dashboard where the objective is to show multiple offices (and associated KPIs) on same dashboard

Challenge that I'm facing

  1. When executive logs in and goes to non-executive dashboard, she could pick an office that is from East coast. Given that this user's role has associated timezone of PST, she now has to do mental calculation to pick correct time window from hour prompts. Otherwise she may not get complete data set/results
  2. When executive logs in and goes to executive dashboard, he will see various offices and KPIs, but again, he needs to do the mental math to make sure that he is choosing the correct time window (from and to hours) to encompass offices of East coast to West coast (different time zones....his timezone is PST)

What I'm looking for

  1. Is there a way in Splunk so that from and to hour prompts show (or not) depending on whether it is executive role or not
  2. Is there a better way /method of addressing this particular user experience need when the enterprise is truly global

Any pointers would be greatly appreciated. Happy to do a screen share , provide more details as needed

best, ronak

0 Karma

woodcock
Esteemed Legend

It is awkward, but you could teach executives (is that even possible?) to change their own TZ settings when they do this by going to "Your User Name" -> Edit Account -> Time Zone and setting this to the appropriate value and Splunk will automatically normalize both the timepicker and all the results as they are presented to you.

jeffland
Champion

Generally, you can correct the time of events by any amount with

your search | eval _time=_time+7200

This for example would give you +2 hours, you can also calculate that time dynamically with something like

your search | eval _time=relative_time(_time, "+2h")

This requires you to know the difference in time between the current system and the place the data was created, which means you either need to make that depend on the host/source/... (e.g. all data from sources on the east coast is adjusted to eight hours earlier or something like that) or you save the timezone as a field when the data is created and use that information to calculate the difference.

0 Karma
Get Updates on the Splunk Community!

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...

Reminder! Splunk Love Promo: $25 Visa Gift Card for Your Honest SOAR Review With ...

We recently launched our first Splunk Love Special, and it's gone phenomenally well, so we're doing it again, ...