Splunk always stores the timestamp in the index in epoch time - but it always adjusts and uses the user's settings when running a search or displaying a dashboard. If the user's profile is set to EST, they will see EST in their results and EST will be used to select the data for the dashboard or search.
So if you want to see things in a particular timezone, the only way I know is this:
- write the search using the PEAKHOUR field as you have defined it (or whatever makes sense - see below)
- change the user profile to CST if you want to see the results in terms of CST, change to EST if you want results in EST etc.
AFAIK, there is no way to determine what the user's current time zone setting is, nor is there any way to ignore or override it.
However, IF there is a timestamp that appears in the raw event data, Splunk will automatically create fields named date_* (date_wday, date_mday, date_hour, etc.) IF you have those fields, they will always use the time stamp of the event; these fields are not adjusted to UTC or to the user's time zone setting. So you may be able to do what you want by using those fields instead of _time, like this:
PEAKHOUR = case(date_wday="Saturday" or date_wday="Sunday","NO",
date_hour=10,"YES",
1==1,"NO")
(I think the case function is easier to read than the if function.) I would not create this as a calculated field, because then PEAKHOUR will be calculated whenever the data is returned from any search - that's some overhead. Instead, I would use the peak hour calculation within my search, something like this:
yousearchhere earliest=somethingEarlier latest=somethingLater
| where date_wday!="Saturday" and date_wday!="Sunday" and date_hour =10
| ...
In this case, just make sure that the earliest and latest for search will capture all the data that you want, as you will be generating the specific subset in the second step.
... View more