Solved: How to change time zone format in dashboard panel ...

gnoriega · ‎05-26-2020

Hi,

I have a dashboard with a panel where I'm showing a table of triggered alerts:

            | table _time, ss_name, severity
            | sort - _time
            | rename ss_name AS "Alert Name", severity AS "Severity"

When a user clicks on the alert name, the dashboard populates a drill down pane.

        <drilldown>
          <condition field="Alert Name">
            <set token="show_panel">true</set>
            <set token="selected_value">"$click.value2$"</set>
            <set token="selected_value_latest">$click.value$</set>
            <eval token="selected_value_earliest">relative_time($selected_value_latest$, "-15m")</eval>
            <eval token="converted_time">strftime($selected_value_latest$, "%Y-%d-%m %H:%M")</eval>
          </condition>
          <condition>
          </condition>
        </drilldown>

and I'm using the converted_time token to show the user the time of the alarm they clicked.

    <panel>
      <table>
        <title>[Drilldown] Recent statistics for $selected_value$ at $converted_time$</title>

The issue I have is that this converted_time is showing an offset time. From what I gather it's showing the time in the local computer timezone (e.g. GMT -6 where the user is logged in from) even though the user's Splunk preference is set to GMT -5. I do not want to show the time in the user's timezone but rather in GMT -5.

If I run strftime in a search, e.g.:

 | eval converted_time= strftime(_time, "%Y-%d-%m %H:%M")
 | table _time converted_time

The converted_time column shows the time correctly matching the _time column. But when I use strftime in the dashboard:

<eval token="converted_time">strftime($selected_value_latest$, "%Y-%d-%m %H:%M")</eval>

I'm getting a different result. How can I fix this?

gnoriega · ‎05-27-2020

Found a way to solve this by doing several manipulations of the _time. When I get the value of $row._time$ it returns the time in string format with the correct timezone GMT -5. I then removed the trailing data that I didn't need.

            <eval token="strip_time">replace(replace($row._time$,"-05:00",""),"T"," ")</eval>
            <eval token="strip_time1">mvindex(split($strip_time$,":"),0)</eval>
            <eval token="strip_time2">mvindex(split($strip_time$,":"),1)</eval>
            <eval token="converted_time">$strip_time1$+":"+$strip_time2$</eval>

There's probably a better way to do this but this worked for me.

View solution in original post

gnoriega · ‎05-27-2020

Found a way to solve this by doing several manipulations of the _time. When I get the value of $row._time$ it returns the time in string format with the correct timezone GMT -5. I then removed the trailing data that I didn't need.

            <eval token="strip_time">replace(replace($row._time$,"-05:00",""),"T"," ")</eval>
            <eval token="strip_time1">mvindex(split($strip_time$,":"),0)</eval>
            <eval token="strip_time2">mvindex(split($strip_time$,":"),1)</eval>
            <eval token="converted_time">$strip_time1$+":"+$strip_time2$</eval>

There's probably a better way to do this but this worked for me.

How to change time zone format in dashboard panel to match user preference for triggered alerts?

drilldown

panel

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio