I made the mistake of configuring some alert under the admin user before I'd set it's timezone. Now the cron schedules for those jobs are running against UTC and even though I've set admin to the correct timezone, the cron schedules have remained against UTC times. I tried changing them to something else then changing back but they revert to UTC. Does anyone know how I can 'unlock' these alerts and get the jobs to run against my timezone?
I also see the 'Run as Owner or User' options and I'm not seeing much info on that. What will that help me do?
Splunk cron schedule is clever enough to take owner's timezone into account and runs according to the user's configured time zone. Check next run time under Settings -> Searches, reports, and alerts -> Scheduled time.
Hi there. This does make sense and moves me close to not receiving alerts at all hours. The search head is a linux machine that is sync'd to ntp but had the timezone set as UTC and UTC=1, or whatever it is. I just changed that to my local timezone, do you think I should do that and would I still need to build in this offset?
Yes, to be clear; cron is not timezone "aware" so you will need to apply an offset from your local time to the to the server's UTC time. There are plenty of timezone conversion web sites if you need help in working out your offset (run some tests). Setting your Splunk UI user's timezone does not affect cron style scheduling, so just leave your Splunk users UI timezone to match your local time.
Another issue you'll have is when there is a change to/from daylights saving time (DST), or summer and winter time. The server running in UTC will not change for DST so suddenly your alerts will running a 1 hour early or late, depending on when they were set.
Hi there. Sorry I have been finishing my configs and doing some testing. What I am seeing is that everything is behaving since I set the timezone, that doesn't seem to make sense based on the above? I see the correct 'next run times' (in local time) next to the jobs and, because I haven't set my baselines properly yet, I start getting alerts at 7am per the cron schedule. What do you think?
Hi sjohnehta and pdjhh,
I must apologise, I've been playing around this morning (v6.3) and find I've been completely wrong. Splunk cron schedule is clever enough to take owner's timezone into account and runs according to the user's configured time zone. Check nex trun time under Settings -> Searches, reports, and alerts -> Scheduled time. It is not at all dependent on the search heads running timezone, as I thought and offsets are not needed.
I'm going to adjust my answer, so other users do not get the wrong information.