Hi
I have 1 sight, but users in 3 timezone.
One in Dublin,Paris and Beirut. (Paris is one hour ahead of me).
I want all users to see 100% what is seen by the pairs users.
All the servers and forwarders are in Paris.
When i log in with a Paris user with CITRIX it all works fine, however when i log in with a Dublin user i am getting issues, time out by 1 hour when i do an action.
I am using a user with (Default system time) .
I have created a graph like below that maps out the events, when i hover over it i can see the start and end time of the event [16:10 - 16:17].
I have set up a drilldown that will drive another graph to display the logs that happened in that time zone.
So in my example, i click on PREPARE_TDS and it should drive the next graph with the time of $earliest$ & $latest$ however in Dublin it pushes the time to 17:10 and not 16:10. In Paris it works fine 16:10 is used. So the location of the Dublin user is causing an issues.
2 Questions
1) Is there a way to tell SPLUNK that all users should get the same data ignoring location. So in my case i want all users to see data on PARIS time as all the servers and forwarders are there.
2) If not for above, how do i fix it for the Dublin Users
<viz type="timeline_app.timeline">
<search>
<query>eventtype=mlc sourcetype=lts_timings host=$host_token$ | eval duration_seconds=duration_seconds*1000 | eval task_name2=task_name | table _time task_name task_name2 duration_seconds | sort $Name_or_Duration2$ | rename task_name as Event_Name | rename task_name2 as Event_Name2 | search Event_Name=*$Task_Search$*</query>
<earliest>$tps_selection.earliest$</earliest>
<latest>$tps_selection.latest$</latest>
</search>
<option name="height">399</option>
<option name="timeline_app.timeline.axisTimeFormat">SECONDS</option>
<option name="timeline_app.timeline.colorMode">categorical</option>
<option name="timeline_app.timeline.maxColor">#DA5C5C</option>
<option name="timeline_app.timeline.minColor">#FFE8E8</option>
<option name="timeline_app.timeline.numOfBins">6</option>
<option name="timeline_app.timeline.tooltipTimeFormat">SECONDS</option>
<option name="timeline_app.timeline.useColors">1</option>
<drilldown>
<set token="TEST_GANTT_VALUE">$row.Event_Name$</set>
<set token="TEST_GANTT_start">$earliest$</set>
<set token="TEST_GANTT_end">$latest$</set>
</drilldown>
</viz>
The search is the same from Paris or Dublin
So the question i have is, i am aware if i use eval function to set the time it will change the time, however in this case i am setting the data. I am unsure how to get the Dublin users to see what the Paris users are seeing.
Cheers 🙂
I Have also tried to change my splunk/etc/apps/user-prefs/local/user-prefs.conf
However a user consultant logged in from Dublin is still converting time to + 1.
[default]
tz = Europe/Paris
[role_consultant]
default_namespace = murex_mlc
tz = Europe/Paris
[role_consultant_read]
default_namespace = murex_mlc
tz = Europe/Paris
I also tried to set up epoc time, however the graph does not display it so i cant reference it. Unless there is a way to do that?
<viz type="timeline_app.timeline">
<search>
<query>eventtype=mlc sourcetype=lts_timings host=$host_token$ | eval duration_seconds=duration_seconds*1000 | eval task_name2=task_name | eval Start_epoc=start | eval Stop_epoc=end | eval Start_epoc = strptime(Start_epoc,"%Y-%m-%d %H:%M:%S") | eval Stop_epoc = strptime(Stop_epoc,"%Y-%m-%d %H:%M:%S") | table _time task_name task_name2 duration_seconds Start_epoc Stop_epoc | sort $Name_or_Duration2$ | rename task_name as Event_Name | rename task_name2 as Event_Name2 | search Event_Name=*$Task_Search$*</query>
<earliest>$tps_selection.earliest$</earliest>
<latest>$tps_selection.latest$</latest>
</search>
<option name="height">399</option>
<option name="timeline_app.timeline.axisTimeFormat">SECONDS</option>
<option name="timeline_app.timeline.colorMode">categorical</option>
<option name="timeline_app.timeline.maxColor">#DA5C5C</option>
<option name="timeline_app.timeline.minColor">#FFE8E8</option>
<option name="timeline_app.timeline.numOfBins">6</option>
<option name="timeline_app.timeline.tooltipTimeFormat">SECONDS</option>
<option name="timeline_app.timeline.useColors">1</option>
<drilldown>
<set token="TEST_GANTT_VALUE">$row.Event_Name$</set>
<set token="TEST_GANTT_start">$row.Start_epoc$</set>
<set token="TEST_GANTT_end">$row.Stop_epoc$</set>
</drilldown>
</viz>
have you tried to change the users TZ in the account settings to be Paris TZ?
Hi
Yes, i have tried this. But no Luck. Paris display correctly but Dublin is still one hour + when i click the button.
Cheers anyway.
do you happen to have the date_zone
in your data? i have similar needs for my own data but need to be able to see data in my own time zone as well as in local time zones at sites. i add this chunk of syntax right after my base search to shift _time. it may need to be tweaked to what you need it to do, but it's a start
| addinfo
| convert mktime(dateTime) as epochDateTime timeformat="%Y-%m-%d %H:%M:%S.%6N %:z"
| eval shifted_time=epochDateTime-(abs(date_zone)*60)
| convert ctime(shifted_time) as shifted_time_epoch timeformat="%Y-%m-%d %H:%M:%S.%6N %:z"
| eval offset=case(like(shifted_time_epoch,"%12:00") ,43200, like(shifted_time_epoch ,"%11:00"),39600, like(shifted_time_epoch,"%10:00"),36000, like(shifted_time_epoch,"%09:00"),32400, like(shifted_time_epoch,"%08:00"),28800, like(shifted_time_epoch,"%07:00"),25200, like(shifted_time_epoch,"%06:00"),21600, like(shifted_time_epoch,"%05:00"),18000, like(shifted_time_epoch,"%04:00"),14400, like(shifted_time_epoch,"%03:00"),10800, like(shifted_time_epoch,"%02:00"),7200, like(shifted_time_epoch,"%01:00"),3600, like(shifted_time_epoch,"%00:00"),0)
| eval _time=shifted_time+offset
Hi
Thanks for this, however i was trying to get an answer on the system level and not have to add code into the configuration.
However it is looking like it is not possible.