All our servers (Splunk Indexer, Search Head and applications/universal forwarders) are in CST time zone.
In Splunk UI, we have set the timezone as EST.
Now, we have created a Splunk saved report for last 4 weeks (-4w@w to @w).
Also, we have accelerated this report.
When we run the report directly or via Open in Search, we get data 7/19/15 12:00:00.000 AM EST to 8/16/15 12:00:00.000 AM EST.
Then, we added the report to existing multi-panel dashboard (not as inline search) but as direct report.
However, now we get different values in panel.
We found the reason, when we clicked on magnify glass "Open in Search" below in panel in dashboard.
Reason, this panel runs between 7/19/15 01:00:00.000 AM EST to 8/16/15 01:00:00.000 AM EST
Why would this occur?
Thanks in advance 🙂
Hi again, @477450,
I wanted to let you know that our engineering team has identified this issue as a bug to fix.
There may be a way to work around the problem for now, by adjusting settings in props.conf. In particular, take a look at the timezone configuration settings. It sounds like the report scheduling that you set up for 12 midnight EST is being interpreted as midnight CST, causing it to capture data one hour later, at 1am EST. Perhaps ensuring that this is set to EST would help?
I'm not sure what version of the software you are using, but here is the props.conf spec file in our documentation:
http://docs.splunk.com/Documentation/Splunk/6.2.5/Admin/Propsconf
Some other resources that you might find helpful:
http://docs.splunk.com/Documentation/Splunk/6.1.3/Data/ApplyTimezoneOffsetsToTimeStamps
http://answers.splunk.com/answers/170285/one-dashboard-with-multiple-timezones.html
I am seeing this issue with the Cisco Security App's Firewall Overview panel on the current version of Splunk Cloud as well. Is there an ETA on when this bug might be fixed? Thanks!
Hi again, @477450,
I wanted to let you know that our engineering team has identified this issue as a bug to fix.
There may be a way to work around the problem for now, by adjusting settings in props.conf. In particular, take a look at the timezone configuration settings. It sounds like the report scheduling that you set up for 12 midnight EST is being interpreted as midnight CST, causing it to capture data one hour later, at 1am EST. Perhaps ensuring that this is set to EST would help?
I'm not sure what version of the software you are using, but here is the props.conf spec file in our documentation:
http://docs.splunk.com/Documentation/Splunk/6.2.5/Admin/Propsconf
Some other resources that you might find helpful:
http://docs.splunk.com/Documentation/Splunk/6.1.3/Data/ApplyTimezoneOffsetsToTimeStamps
http://answers.splunk.com/answers/170285/one-dashboard-with-multiple-timezones.html
Hi @477450,
I'm a tech writer here at Splunk and I'd like to help with this. I am looking in to your question currently. I'm checking to see how time zones and/or the cron scheduling and handling for the report might be contributing to the issue you noticed. I'll report back with more information ASAP!
Please feel free to post further questions or feedback here in the meantime.
Best,
@frobinson_splunk
Hi thanks for the update
we are using splunk version 6.2.0
Great--thank you for this info! I will pass it along to the engineer working on the bug.
All the best,
@frobinson_splunk
Can I ask what version of the software you are using? Thanks for any details!