Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Display search results in utc time for all users

wasifchowdhury
Explorer
‎11-10-2021 09:15 AM

My default timezone is EST. How do I change it so that when other users are using my dashboards they can view it utc time or a different time zone? Or in other words displaying my result in a different time zone or adding an offset.

Labels (1)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎11-10-2021 12:10 PM

Why would you want to do that? I don't think that it's possible on its own (as simple timestamp displaying) - you'd have to do some ugly timestamp offset calculations and cut and glue some parts from the string representation.

But why?

The only reason to fiddle with timezones that I can see would be to choose common start/end timestamps across timezones (so that everybody analyses - for example - full 24h period starting at the same point in time regardless of where they are situated).

 

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-10-2021 11:51 AM

When others run your dashboards, Splunk will convert times into the users' selected time zones.  You don't have to do anything on your end.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

wasifchowdhury
Explorer
‎11-10-2021 11:56 AM

I know it will run as users selected time zone but let's say someone who has their timezone selected as EST on the splunk application, how can they see my dashboards such that the results display in a different time zone? I want to create my dashboards in such a way as to they display utc times no matter what the user time zone is pre configured.

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎11-11-2021 06:13 AM

Splunk renders the times in user's configured timezone. I don't think there's a way to override it.

As I said, you could do some magic with either recalculating timestamps (which would be bad - you should never touch timestamps unless you really mean it) or doing some nasty tricks with fieldformat (which would be ugly and would need to be explicitely called in every search).

I understand that there could be some borderline use cases with geographically spread teams working together but they would still have many more problems than just timestamps in splunk so they should already have it figured out without the need to force a particular timezone on the user.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-11-2021 05:37 AM

I think there is no way to do that.  Splunk will try to convert times to the user's selected zone.  You may be able to do some slight-of-hand to override that, but since you don't know the user's selected time zone you don't know the offset to compute.  And what if the user doesn't WANT to see times in UTC?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

OpenTelemetry for Legacy Apps? Yes, You Can!

This article is a follow-up to my previous article posted on the OpenTelemetry Blog, "Your Critical Legacy App ...

UCC Framework: Discover Developer Toolkit for Building Technology Add-ons

The Next-Gen Toolkit for Splunk Technology Add-on Development The Universal Configuration Console (UCC) ...

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...