Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Display search results in utc time for all users

wasifchowdhury
Explorer
‎11-10-2021 09:15 AM

My default timezone is EST. How do I change it so that when other users are using my dashboards they can view it utc time or a different time zone? Or in other words displaying my result in a different time zone or adding an offset.

Labels (1)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎11-10-2021 12:10 PM

Why would you want to do that? I don't think that it's possible on its own (as simple timestamp displaying) - you'd have to do some ugly timestamp offset calculations and cut and glue some parts from the string representation.

But why?

The only reason to fiddle with timezones that I can see would be to choose common start/end timestamps across timezones (so that everybody analyses - for example - full 24h period starting at the same point in time regardless of where they are situated).

 

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-10-2021 11:51 AM

When others run your dashboards, Splunk will convert times into the users' selected time zones.  You don't have to do anything on your end.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

wasifchowdhury
Explorer
‎11-10-2021 11:56 AM

I know it will run as users selected time zone but let's say someone who has their timezone selected as EST on the splunk application, how can they see my dashboards such that the results display in a different time zone? I want to create my dashboards in such a way as to they display utc times no matter what the user time zone is pre configured.

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎11-11-2021 06:13 AM

Splunk renders the times in user's configured timezone. I don't think there's a way to override it.

As I said, you could do some magic with either recalculating timestamps (which would be bad - you should never touch timestamps unless you really mean it) or doing some nasty tricks with fieldformat (which would be ugly and would need to be explicitely called in every search).

I understand that there could be some borderline use cases with geographically spread teams working together but they would still have many more problems than just timestamps in splunk so they should already have it figured out without the need to force a particular timezone on the user.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-11-2021 05:37 AM

I think there is no way to do that.  Splunk will try to convert times to the user's selected zone.  You may be able to do some slight-of-hand to override that, but since you don't know the user's selected time zone you don't know the offset to compute.  And what if the user doesn't WANT to see times in UTC?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Fall Into Learning with New Splunk Education Courses

Every month, Splunk Education releases new courses to help you branch out, strengthen your data science roots, ...

Super Optimize your Splunk Stats Searches: Unlocking the Power of tstats, TERM, and ...

By Martin Hettervik, Senior Consultant and Team Leader at Accelerate at Iver, Splunk MVPThe stats command is ...

How Splunk Observability Cloud Prevented a Major Payment Crisis in Minutes

Your bank's payment processing system is humming along during a busy afternoon, handling millions in hourly ...