Getting Data In

Timezones issues 1 site, 3 users in different timezones.

robertlynch2020
Motivator

Hi

I have 1 sight, but users in 3 timezone.
One in Dublin,Paris and Beirut. (Paris is one hour ahead of me).

I want all users to see 100% what is seen by the pairs users.

All the servers and forwarders are in Paris.
When i log in with a Paris user with CITRIX it all works fine, however when i log in with a Dublin user i am getting issues, time out by 1 hour when i do an action.

I am using a user with (Default system time) .
I have created a graph like below that maps out the events, when i hover over it i can see the start and end time of the event [16:10 - 16:17].
I have set up a drilldown that will drive another graph to display the logs that happened in that time zone.

So in my example, i click on PREPARE_TDS and it should drive the next graph with the time of $earliest$ & $latest$ however in Dublin it pushes the time to 17:10 and not 16:10. In Paris it works fine 16:10 is used. So the location of the Dublin user is causing an issues.

2 Questions
1) Is there a way to tell SPLUNK that all users should get the same data ignoring location. So in my case i want all users to see data on PARIS time as all the servers and forwarders are there.

2) If not for above, how do i fix it for the Dublin Users

alt text

  <viz type="timeline_app.timeline">
        <search>
          <query>eventtype=mlc sourcetype=lts_timings host=$host_token$ | eval duration_seconds=duration_seconds*1000 | eval task_name2=task_name | table _time task_name task_name2 duration_seconds | sort $Name_or_Duration2$ | rename task_name as Event_Name | rename task_name2 as Event_Name2 | search Event_Name=*$Task_Search$*</query>
          <earliest>$tps_selection.earliest$</earliest>
          <latest>$tps_selection.latest$</latest>
        </search>
        <option name="height">399</option>
        <option name="timeline_app.timeline.axisTimeFormat">SECONDS</option>
        <option name="timeline_app.timeline.colorMode">categorical</option>
        <option name="timeline_app.timeline.maxColor">#DA5C5C</option>
        <option name="timeline_app.timeline.minColor">#FFE8E8</option>
        <option name="timeline_app.timeline.numOfBins">6</option>
        <option name="timeline_app.timeline.tooltipTimeFormat">SECONDS</option>
        <option name="timeline_app.timeline.useColors">1</option>
        <drilldown>
          <set token="TEST_GANTT_VALUE">$row.Event_Name$</set>
          <set token="TEST_GANTT_start">$earliest$</set>
          <set token="TEST_GANTT_end">$latest$</set>

        </drilldown>
      </viz>

alt text

The search is the same from Paris or Dublin

So the question i have is, i am aware if i use eval function to set the time it will change the time, however in this case i am setting the data. I am unsure how to get the Dublin users to see what the Paris users are seeing.

Cheers 🙂

0 Karma

robertlynch2020
Motivator

I Have also tried to change my splunk/etc/apps/user-prefs/local/user-prefs.conf

However a user consultant logged in from Dublin is still converting time to + 1.

[default]
tz = Europe/Paris

[role_consultant]
default_namespace = murex_mlc
tz = Europe/Paris

[role_consultant_read]
default_namespace = murex_mlc
tz = Europe/Paris

0 Karma

robertlynch2020
Motivator

I also tried to set up epoc time, however the graph does not display it so i cant reference it. Unless there is a way to do that?

<viz type="timeline_app.timeline">
        <search>
          <query>eventtype=mlc sourcetype=lts_timings host=$host_token$ | eval duration_seconds=duration_seconds*1000 | eval task_name2=task_name  | eval Start_epoc=start  |  eval Stop_epoc=end | eval Start_epoc = strptime(Start_epoc,"%Y-%m-%d %H:%M:%S") | eval Stop_epoc = strptime(Stop_epoc,"%Y-%m-%d %H:%M:%S") | table _time task_name task_name2 duration_seconds Start_epoc Stop_epoc | sort $Name_or_Duration2$ | rename task_name as Event_Name | rename task_name2 as Event_Name2 | search Event_Name=*$Task_Search$*</query>
          <earliest>$tps_selection.earliest$</earliest>
          <latest>$tps_selection.latest$</latest>
        </search>
        <option name="height">399</option>
        <option name="timeline_app.timeline.axisTimeFormat">SECONDS</option>
        <option name="timeline_app.timeline.colorMode">categorical</option>
        <option name="timeline_app.timeline.maxColor">#DA5C5C</option>
        <option name="timeline_app.timeline.minColor">#FFE8E8</option>
        <option name="timeline_app.timeline.numOfBins">6</option>
        <option name="timeline_app.timeline.tooltipTimeFormat">SECONDS</option>
        <option name="timeline_app.timeline.useColors">1</option>
        <drilldown>
          <set token="TEST_GANTT_VALUE">$row.Event_Name$</set>
          <set token="TEST_GANTT_start">$row.Start_epoc$</set>
          <set token="TEST_GANTT_end">$row.Stop_epoc$</set>
        </drilldown>
      </viz>
0 Karma

cmerriman
Super Champion

have you tried to change the users TZ in the account settings to be Paris TZ?

0 Karma

robertlynch2020
Motivator

Hi

Yes, i have tried this. But no Luck. Paris display correctly but Dublin is still one hour + when i click the button.

Cheers anyway.

0 Karma

cmerriman
Super Champion

do you happen to have the date_zone in your data? i have similar needs for my own data but need to be able to see data in my own time zone as well as in local time zones at sites. i add this chunk of syntax right after my base search to shift _time. it may need to be tweaked to what you need it to do, but it's a start

| addinfo 
| convert mktime(dateTime) as epochDateTime timeformat="%Y-%m-%d %H:%M:%S.%6N %:z" 
| eval shifted_time=epochDateTime-(abs(date_zone)*60) 
| convert ctime(shifted_time) as shifted_time_epoch timeformat="%Y-%m-%d %H:%M:%S.%6N %:z" 
| eval offset=case(like(shifted_time_epoch,"%12:00") ,43200, like(shifted_time_epoch ,"%11:00"),39600, like(shifted_time_epoch,"%10:00"),36000, like(shifted_time_epoch,"%09:00"),32400, like(shifted_time_epoch,"%08:00"),28800, like(shifted_time_epoch,"%07:00"),25200, like(shifted_time_epoch,"%06:00"),21600, like(shifted_time_epoch,"%05:00"),18000, like(shifted_time_epoch,"%04:00"),14400, like(shifted_time_epoch,"%03:00"),10800, like(shifted_time_epoch,"%02:00"),7200, like(shifted_time_epoch,"%01:00"),3600, like(shifted_time_epoch,"%00:00"),0)
| eval _time=shifted_time+offset
0 Karma

robertlynch2020
Motivator

Hi

Thanks for this, however i was trying to get an answer on the system level and not have to add code into the configuration.

However it is looking like it is not possible.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...