Reporting

Why is our scheduled report that runs in our server timezone CST showing unexpected results in the emailed report for users in the EST timezone?

Explorer

Our servers are in CST timezone. In Splunk UI, we have set the timezone as EST (users are at this zone).
Splunk Version 6.2.0

We are collecting last week stats, so our search is something like this:

earliest=-1w@w latest=-0w@w index=abc .... | timechart span=1w count as "Total",count(eval(status=401)) as "Failures"

Output:

_time          Total     Failures
23-Aug-15      43689     199

This works fine in the GUI.
However, we wanted to automate this as an email report and we received different values.
Reason, the schedule report runs in server timezone (CST).

We tried implementing the workaround as mentioned in http://answers.splunk.com/answers/170285/one-dashboard-with-multiple-timezones.html or ("One dashboard with multiple timezones")

earliest=-1w@w-h latest=-0w@w-h index=abc .... | eval _time=_time+3600 | timechart span=1w count as "Total",count(eval(status=401)) as "Failures"

This gives output:

_time          Total     Failures
22-Aug-15      38878     188
29-Aug-15      4811      11

Why does Splunk produce output like this for span=1w? Is this a bug?
Also tried span=7d, still no luck.

I know that total of this gives the required output.
However, when we extend this query for last 4 weeks data with span=1w, we get incorrect numbers.
So adding total doesn't help.

Any workaround for this would be appreciated.

0 Karma
1 Solution

Esteemed Legend

This workaround should not be necessary. If you schedule the report under the user who has the appropriate TZ, it should work as you expect. It would not be unreasonable to create a user called "TimeZone EST" and another user as "TimeZone CST" and set each user's TimeZone preference by logging-in as each user and going to My Username -> Edit Account -> Time zone and setting the value appropriately. Any searches run by a user will have date values normalized based on this user setting. In your case, since everybody is EST if each user set's his own Time zone value to EST then the problem should go away automatically without any trickery or hacks.

View solution in original post

0 Karma

Esteemed Legend

This workaround should not be necessary. If you schedule the report under the user who has the appropriate TZ, it should work as you expect. It would not be unreasonable to create a user called "TimeZone EST" and another user as "TimeZone CST" and set each user's TimeZone preference by logging-in as each user and going to My Username -> Edit Account -> Time zone and setting the value appropriately. Any searches run by a user will have date values normalized based on this user setting. In your case, since everybody is EST if each user set's his own Time zone value to EST then the problem should go away automatically without any trickery or hacks.

View solution in original post

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!