Getting Data In

Adding Melbourne and Sydney Australia as available time zones in GUI.

Lucas_K
Motivator

I'd previously raised this years ago as a support ticket but it hasn't been added so I thought i'd post it here as it is an on going issue and it causes no end to the absolute hell that it has caused.

There is no Melbourne or Sydney Australia time zone in the gui for users to set their correct time zones. This still exists in the latest v6.5.

alt text

As our search heads support users from all over the world setting it as a default isn't appropriate.

Supports original suggestion of telling users to use Hobart, does functionally work but is very unprofessional to be telling high level managers that they are in a different part of the country 😉 Like telling a New Yorker they are from Florida I suppose.

The fix is so very, very simple. Yet has missed 2 large version releases (v5 and v6).

./etc/apps/search/default/data/ui/manager/authentication_change_user_password.xml

Find Line 109
109 <opt value="Australia/Hobart" label="(GMT+10:00) Hobart"/> 

Add 
110 <opt value="Australia/Melbourne" label="(GMT+10:00) Melbourne"/> 
111 <opt value="Australia/Sydney" label="(GMT+10:00) Sydney"/>

After

alt text

Tags (2)
1 Solution

eavent_splunk
Splunk Employee
Splunk Employee

Happy to say that with the release of 7.1, Sydney and Melbourne are both available as Time Zone selections in the web interface.

View solution in original post

eavent_splunk
Splunk Employee
Splunk Employee

Happy to say that with the release of 7.1, Sydney and Melbourne are both available as Time Zone selections in the web interface.

Lucas_K
Motivator

oh thank god! 😄

0 Karma

jplumsdaine22
Influencer

Finally we can stop being lorded over by Tasmanians

0 Karma

abrown_splunk
Splunk Employee
Splunk Employee

Hi Lucas - just want to make sure I understand what you're up against here. Is it that Melbourne and Sydney are in a different timezone and function incorrectly or is it that by omitting these (admittedly major) cities from the options list, people have to select a different city that is in the same timezone but not representative of their geographic location?

FWIW, I'm in Seattle and and for many years I had to choose "PST - Cupertino, CA" - I just see it as some human-readable language to validate you're picking the right time zone instead of an indication of your exact location.

0 Karma

Lucas_K
Motivator

I understand it isn't supposed to be an exact location but from a users perspective there isn't THAT many large cities in Australia to compare it to the US (we literally have 7 major ones total.)

I would have thought splunk would have used the standard TZ list.

https://en.wikipedia.org/wiki/List_of_tz_database_time_zones

Most users and Australians in general are on our eastern side of the country. Melbourne, Sydney, Brisbane (12 million) vs Hobart (200k).

As such as have people that not know if Hobart has the same Daylight savings as all those 3 (hint, they don't), so it isn't clear to people that they are selecting the right thing, or not but choosing Hobart. Which is more of a big town than a city 😉

Remember, Splunk is a time series index so time is VERY important, almost the most important thing. Set in events and also via the UI. Getting it wrong changes the perspective of how the data is presented.

We've had numerous people keep asking. Should I be selecting Hobart? Where is Melbourne or Sydney? Its been an ongoing joke that it hasn't been updated in the past 5 years. It is very embarrassing when we have to tell managers this software we're paying $10's of millions for each year for can't have an official timezone included in it.

If it is deemed officially as too hard and the solution is "just use hobart" then that is fine. I'll just customize every search head to include the code fix myself.

0 Karma

abrown_splunk
Splunk Employee
Splunk Employee

Thanks for the explanation as well as your workaround. I'll see if I can get more feedback from the folks in the know.

0 Karma

MuS
Legend

Just my 2cents here:

the fix must not be applied in $SPLUNK_HOME/etc/apps/search/default/data/ui/manager/authentication_change_user_password.xml, this can potentially break at each upgrade. Put it in $SPLUNK_HOME/etc/apps/search/local/data/ui/manager/authentication_change_user_password.xml instead.

cheers, MuS

0 Karma

mrgibbon
Contributor

Still the same in v7.0.0

Lucas_K
Motivator

😞 yeah didn't really expect it to be added officially.

0 Karma

Lucas_K
Motivator

As of v6.5 this issue still persists.

sigh

Lucas_K
Motivator

v6.5.2. the saga continues. Seriously splunk devs I've posted the code!

0 Karma

jplumsdaine22
Influencer

I agree that this should be fixed

But... "absolute hell". Really?

At least Melbourne got kicked off the list as well. I can't imagine how unbearable Sydney people would be if Melbourne was on the list but not Sydney 🙂 Someone tell 702!

0 Karma

Lucas_K
Motivator

We had exec level management make business decisions based on incorrect time information due to this. As their login was gmt timezoned the presentation of dashboards was out by 10 hours.

It wasn't until engineering came back and said "it's impossible for those figures to be that at those times" that the logged in users profile was checked.

So yes, "absolute hell" was accurate and highly embarrassing when we were directly competing with other big data systems at the same time to produce the reports. It's hard to be an avangelist for a product when the simplest of fixes never make it into the product. I have a dozen other similar reported fixes.

0 Karma
Get Updates on the Splunk Community!

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...

Enterprise Security Content Update (ESCU) | New Releases

In October, the Splunk Threat Research Team had one release of new security content via the Enterprise ...