Getting Data In

Managing reports for multiple timezones

sc0tt
Builder

We currently have 4 servers that send data to the Splunk indexer. Each server is located in US/Eastern, however each server is used by a different geographical region and all log timestamps are US/Eastern. Using the user timezone setting, Splunk will adjust the time to the user's local timezone. However, for reporting purposes I do not want the times to be displayed in local time, but rather with respect to each reporting region. Currently, I am using the below eval in my reports:

| eval _time=case(host="Server-1", _time + (60 * 60), host="Server-2", _time + (210 * 60),host="Server-3", _time + (300 * 60), 1=1, _time)`

This works, but is there a better way to do this so reports do not need to be modified during timezone changes and when new geographical regions come online?

Tags (2)
0 Karma
1 Solution

linu1988
Champion

Hello,
Your approach is quite correct, not much you can do about this while doing a report if your search head is in different region.

View solution in original post

linu1988
Champion

Hello,
Your approach is quite correct, not much you can do about this while doing a report if your search head is in different region.

sc0tt
Builder

Thanks for the feedback. I ended up creating a timezone search macro to handle this so that I only have to change it one place. I think this is best I can do. I wish Splunk had a feature that could display reports for specified time zones.

0 Karma

sc0tt
Builder

Thanks and sorry for not responding sooner. The issue is that I don't always want the time to to be displayed in the local timezone of a Splunk user. Often, I want reports to be adjusted for specific geographical regions depending on the server and displayed on a dashboard--kind of like a newsroom with world clocks. Reports are then emailed to outside parties in these regions so they need to be displayed for the correct time zone.

0 Karma

kristian_kolb
Ultra Champion

Perhaps I'm not understanding the full picture here, but;
a) all timestamps from within the events are converted to epoch internally, i.e. from that point on, there are no timestamps that need to be changed for the actual data.
b) for presentation purposes the timestamp can be displayed in the local timezone of the user.
c) having log sources and indexers in different timezones makes correct definition of TZ settings important (either if the timestamp in the event contains this info, or if not, that it is being explicitly set in the config file).

/k

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...