Our servers are in CST timezone. In Splunk UI, we have set the timezone as EST (users are at this zone).
Splunk Version 6.2.0
We are collecting last week stats, so our search is something like this:
earliest=-1w@w latest=-0w@w index=abc .... | timechart span=1w count as "Total",count(eval(status=401)) as "Failures"
Output:
_time Total Failures
23-Aug-15 43689 199
This works fine in the GUI.
However, we wanted to automate this as an email report and we received different values.
Reason, the schedule report runs in server timezone (CST).
We tried implementing the workaround as mentioned in http://answers.splunk.com/answers/170285/one-dashboard-with-multiple-timezones.html or ("One dashboard with multiple timezones")
earliest=-1w@w-h latest=-0w@w-h index=abc .... | eval _time=_time+3600 | timechart span=1w count as "Total",count(eval(status=401)) as "Failures"
This gives output:
_time Total Failures
22-Aug-15 38878 188
29-Aug-15 4811 11
Why does Splunk produce output like this for span=1w
? Is this a bug?
Also tried span=7d
, still no luck.
I know that total of this gives the required output.
However, when we extend this query for last 4 weeks data with span=1w, we get incorrect numbers.
So adding total doesn't help.
Any workaround for this would be appreciated.
This workaround should not be necessary. If you schedule the report under the user who has the appropriate TZ, it should work as you expect. It would not be unreasonable to create a user called "TimeZone EST" and another user as "TimeZone CST" and set each user's TimeZone preference by logging-in as each user and going to My Username
-> Edit Account
-> Time zone
and setting the value appropriately. Any searches run by a user will have date values normalized based on this user setting. In your case, since everybody is EST
if each user set's his own Time zone
value to EST
then the problem should go away automatically without any trickery or hacks.
This workaround should not be necessary. If you schedule the report under the user who has the appropriate TZ, it should work as you expect. It would not be unreasonable to create a user called "TimeZone EST" and another user as "TimeZone CST" and set each user's TimeZone preference by logging-in as each user and going to My Username
-> Edit Account
-> Time zone
and setting the value appropriately. Any searches run by a user will have date values normalized based on this user setting. In your case, since everybody is EST
if each user set's his own Time zone
value to EST
then the problem should go away automatically without any trickery or hacks.