Re: Cron schedule stuck on initial user timezone.

sjohnnehta · ‎09-24-2015

Hi there,

I made the mistake of configuring some alert under the admin user before I'd set it's timezone. Now the cron schedules for those jobs are running against UTC and even though I've set admin to the correct timezone, the cron schedules have remained against UTC times. I tried changing them to something else then changing back but they revert to UTC. Does anyone know how I can 'unlock' these alerts and get the jobs to run against my timezone?

I also see the 'Run as Owner or User' options and I'm not seeing much info on that. What will that help me do?

Thanks.

gcato · ‎09-24-2015

Hi sjohnehta,

Splunk cron schedule is clever enough to take owner's timezone into account and runs according to the user's configured time zone. Check next run time under Settings -> Searches, reports, and alerts -> Scheduled time.

sjohnnehta · ‎09-24-2015

Hi there. This does make sense and moves me close to not receiving alerts at all hours. The search head is a linux machine that is sync'd to ntp but had the timezone set as UTC and UTC=1, or whatever it is. I just changed that to my local timezone, do you think I should do that and would I still need to build in this offset?

Thanks.

gcato · ‎09-25-2015

Hi sjohnehta,

Yes, to be clear; cron is not timezone "aware" so you will need to apply an offset from your local time to the to the server's UTC time. There are plenty of timezone conversion web sites if you need help in working out your offset (run some tests). Setting your Splunk UI user's timezone does not affect cron style scheduling, so just leave your Splunk users UI timezone to match your local time.

Another issue you'll have is when there is a change to/from daylights saving time (DST), or summer and winter time. The server running in UTC will not change for DST so suddenly your alerts will running a 1 hour early or late, depending on when they were set.

gcato · ‎09-29-2015

Hi sjohnehta, If I've answered your question, please accept it so that others may find it.

gcato · ‎09-29-2015

Hi sjohnehta and pdjhh,

I must apologise, I've been playing around this morning (v6.3) and find I've been completely wrong. Splunk cron schedule is clever enough to take owner's timezone into account and runs according to the user's configured time zone. Check nex trun time under Settings -> Searches, reports, and alerts -> Scheduled time. It is not at all dependent on the search heads running timezone, as I thought and offsets are not needed.

I'm going to adjust my answer, so other users do not get the wrong information.

pdjhh · ‎09-30-2015

Mm, it won't let me accept the answer at the moment for some reason.

pdjhh · ‎09-29-2015

Hi there. Sorry I have been finishing my configs and doing some testing. What I am seeing is that everything is behaving since I set the timezone, that doesn't seem to make sense based on the above? I see the correct 'next run times' (in local time) next to the jobs and, because I haven't set my baselines properly yet, I start getting alerts at 7am per the cron schedule. What do you think?

sjohnnehta · ‎09-24-2015

I think this is to do with the linux hosts being in the wrong timezone.

Cron schedule stuck on initial user timezone.

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk