Reporting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why is our scheduled report that runs in our server timezone CST showing unexpected results in the emailed report for users in the EST timezone?

477450
Explorer
‎09-04-2015 06:48 AM

Our servers are in CST timezone. In Splunk UI, we have set the timezone as EST (users are at this zone).
Splunk Version 6.2.0

We are collecting last week stats, so our search is something like this:

earliest=-1w@w latest=-0w@w index=abc .... | timechart span=1w count as "Total",count(eval(status=401)) as "Failures"

Output:

_time          Total     Failures
23-Aug-15      43689     199

This works fine in the GUI.
However, we wanted to automate this as an email report and we received different values.
Reason, the schedule report runs in server timezone (CST).

We tried implementing the workaround as mentioned in http://answers.splunk.com/answers/170285/one-dashboard-with-multiple-timezones.html or ("One dashboard with multiple timezones")

earliest=-1w@w-h latest=-0w@w-h index=abc .... | eval _time=_time+3600 | timechart span=1w count as "Total",count(eval(status=401)) as "Failures"

This gives output:

_time          Total     Failures
22-Aug-15      38878     188
29-Aug-15      4811      11

Why does Splunk produce output like this for span=1w? Is this a bug?
Also tried span=7d, still no luck.

I know that total of this gives the required output.
However, when we extend this query for last 4 weeks data with span=1w, we get incorrect numbers.
So adding total doesn't help.

Any workaround for this would be appreciated.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎09-04-2015 11:04 AM

This workaround should not be necessary. If you schedule the report under the user who has the appropriate TZ, it should work as you expect. It would not be unreasonable to create a user called "TimeZone EST" and another user as "TimeZone CST" and set each user's TimeZone preference by logging-in as each user and going to My Username -> Edit Account -> Time zone and setting the value appropriately. Any searches run by a user will have date values normalized based on this user setting. In your case, since everybody is EST if each user set's his own Time zone value to EST then the problem should go away automatically without any trickery or hacks.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎09-04-2015 11:04 AM

This workaround should not be necessary. If you schedule the report under the user who has the appropriate TZ, it should work as you expect. It would not be unreasonable to create a user called "TimeZone EST" and another user as "TimeZone CST" and set each user's TimeZone preference by logging-in as each user and going to My Username -> Edit Account -> Time zone and setting the value appropriately. Any searches run by a user will have date values normalized based on this user setting. In your case, since everybody is EST if each user set's his own Time zone value to EST then the problem should go away automatically without any trickery or hacks.

0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...