Getting Data In

time format for results in en-US vs en-GB

Genti
Splunk Employee
Splunk Employee

I recently received a case about the following issue and since it has come up before on my cases i think it would be a good idea writing a little answers question about it.

So, there are two main differences in results when viewing the same page in GB vs US. (ie, localhost:port/en-US vs localhost:port/en-GB/)

  • in GB, the event timestamp shows up in 24hrs format, instead in the US version, it shows up as 12hour format.
  • In GB the time is right behind the date, instead on the US it is separated by a linebreak.

By default en-US and en-GB get set by the browser locale (which in turn i believe gets set by the OS). If i wanted my results to always default to GB, it would be easy to change the locale on my browser, however, if i wanted to do this change company wide this would be a nightmare.

Is there a way, to tell splunk to default the time format to en-GB locale but server side (instead of client side)?

1 Solution

Genti
Splunk Employee
Splunk Employee

This took a little bit of digging and poking the UI dev's but can be achieved quite nicely.

There's a file in /splunkhome/share/splunk/search_mrsparkle/modules/results where the results are formated. around line 72 we have:

% if i18n.current_lang_url_component()=="en-US":
    ${i18n.format_datetime_microseconds(event.time).replace(' ', '<br/>', 1).replace(' ', '&nbsp;')}
% else:
    ${i18n.format_datetime_microseconds(event.time)}
% endif

This is the file that i will be working with. First thing to note however, is that i will be making changes to the code, and as such i do not want to make these changes on the default file for two reasons:

  1. If i break things then splunk will not support any further issues i might have in the future
  2. any future upgrade will overwrite my changes and make my efforts go to waste.

Hence, i will create a new app, where i will put all my file changes, and since apps have higher precedence my changed file will be read over the default one.

Start start by creating a new application within your splunk instance:

pwd

/splunkhome/etc/apps

Make new app directory by:

> mkdir time  
> mkdir time/appserver  
> mkdir time/appserver/modules/ 
> mkdir time/appserver/modules/results 
> cd time/appserver/modules/results 


> pwd

/splunkhome/etc/apps/time/appserver/modules/results

Copy the file from the default location into this app/directory:

cp /splunkhome/share/splunk/search_mrsparkle/modules/results/EventsViewer_default_renderer.html .

ls

EventsViewer_default_renderer.html

Modify this file such that the if-condition on line 72 looks like so:

% if i18n.current_lang_url_component()=="en-US":
    ${(event.time.strftime('%d/%m/%Y %H:%M:%S'))}
% else:
    ${i18n.format_datetime_microseconds(event.time)}
% endif

Refresh your web page, and your /en-US/ will look as if it was /en-GB/ through out all your browsers all around the company.

One thing to note:
adding %f right after %S will add microseconds. 6 significant digits of them. I was unable to only show just 3 significant digits, like the default splunk view is. i tried %3f %.3f etc, but none of them seems to be working. If anyone finds the solution to this it would be cool.

Hope this helps people out there.
Cheers,
.gz

View solution in original post

yannK
Splunk Employee
Splunk Employee

For time in US format, but with 24h clock.
Try :
strftime('%m/%d/%Y %H:%M:%S')

waechtler
Path Finder

I found this solution useful:

My browser will use german locale de-DE per default, which is not supported by splunk. Changing this to en-GB is not an option

Under

/opt/splunk/lib/python2.6/site-packages/splunk/appserver/mrsparkle/locale

I found a set of directories for supported locales, renamed (or better copied) en_GB to de_DE and restarted splunk

Note:
in the URL, the locale is called de-DE, while the above mentioned directory is called de_DE. Not sure why, but it works.

jrodman
Splunk Employee
Splunk Employee

The question regarding the %f is what event.time is. Try type(event.time) to see what it claims to be. Or ask a ui developer.

Personally I'd do some awful hack such as..., assuming event.time can be the integer,

milliseconds = ("%s.5" % str(event.time % 1))[2:]

${(event.time.strftime('%d/%m/%Y %H:%M:%S') + milliseconds )}

0 Karma

Genti
Splunk Employee
Splunk Employee

This took a little bit of digging and poking the UI dev's but can be achieved quite nicely.

There's a file in /splunkhome/share/splunk/search_mrsparkle/modules/results where the results are formated. around line 72 we have:

% if i18n.current_lang_url_component()=="en-US":
    ${i18n.format_datetime_microseconds(event.time).replace(' ', '<br/>', 1).replace(' ', '&nbsp;')}
% else:
    ${i18n.format_datetime_microseconds(event.time)}
% endif

This is the file that i will be working with. First thing to note however, is that i will be making changes to the code, and as such i do not want to make these changes on the default file for two reasons:

  1. If i break things then splunk will not support any further issues i might have in the future
  2. any future upgrade will overwrite my changes and make my efforts go to waste.

Hence, i will create a new app, where i will put all my file changes, and since apps have higher precedence my changed file will be read over the default one.

Start start by creating a new application within your splunk instance:

pwd

/splunkhome/etc/apps

Make new app directory by:

> mkdir time  
> mkdir time/appserver  
> mkdir time/appserver/modules/ 
> mkdir time/appserver/modules/results 
> cd time/appserver/modules/results 


> pwd

/splunkhome/etc/apps/time/appserver/modules/results

Copy the file from the default location into this app/directory:

cp /splunkhome/share/splunk/search_mrsparkle/modules/results/EventsViewer_default_renderer.html .

ls

EventsViewer_default_renderer.html

Modify this file such that the if-condition on line 72 looks like so:

% if i18n.current_lang_url_component()=="en-US":
    ${(event.time.strftime('%d/%m/%Y %H:%M:%S'))}
% else:
    ${i18n.format_datetime_microseconds(event.time)}
% endif

Refresh your web page, and your /en-US/ will look as if it was /en-GB/ through out all your browsers all around the company.

One thing to note:
adding %f right after %S will add microseconds. 6 significant digits of them. I was unable to only show just 3 significant digits, like the default splunk view is. i tried %3f %.3f etc, but none of them seems to be working. If anyone finds the solution to this it would be cool.

Hope this helps people out there.
Cheers,
.gz

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...