I've to run a count difference for a query over a period of time. For example. I need the difference of counts for my search between 9:00 PM -10:00 PM today and yesterday. Timewrap is an option but timewrap needs to search for the entire day and I only need counts for that specific time. So I have used an approach to use the $job.earlietTime$ $job.latestTime$ and subtract 86400 seconds form the for my second search. The approach works fine but when the same dashboard is opened from a system in a different country the time difference varies. I have extracted the timezone in the strp function as well. Below is the sample dashboard which explains my problem.
<form>
<label>Dashboard Time Picker Display Earliest and Latest</label>
<search>
<query>| makeresults</query>
<earliest>$tokTime.earliest$</earliest>
<latest>$tokTime.latest$</latest>
<done>
<eval token="eartime">strptime($job.earliestTime$,"%Y-%m-%dT%T.%3N:z")-86400</eval>
<eval token="lattime">strptime($job.latestTime$,"%Y-%m-%dT%T.%3N:z")-86400</eval>
<eval token="eartime_ws">$job.earliestTime$</eval>
<eval token="lattime_ws">$job.latestTime$</eval>
</done>
</search>
<fieldset submitButton="false"></fieldset>
<row>
<panel>
<input type="time" token="tokTime">
<label></label>
<default>
<earliest>1513591200</earliest>
<latest>1513598400</latest>
</default>
</input>
<html>
Date and time choosen $eartime_ws$ AND $lattime_ws$ <br/></br>
Date and time 1 day later $eartime$ AND $lattime$
</html>
<table>
<search>
<query>|table t</query>
<earliest>$eartime$</earliest>
<latest>$lattime$</latest>
</search>
</table>
</panel>
</row>
</form>
Values for eartime and lattime are different when opened from US and India. both of the splunk users have set timezone to PST in splunk account settings. I've tried to change the default time zone on my machine and checked but that doesn't have an effect at this time.
