Getting Data In

Server and Web Browser are in another time zone from display on Citrix Xenapp client and timeline time zone is wrong no matter what the account timezone is set to

kstailey
Engager

There is (was?) SPL-46852

If you change the time zone of the current Splunk Web user to be different from the server time zone, you will not see the change take effect immediately. The retrieved events will be in the correct time zone but the timeline will not. Wait 30 seconds and reload the page to see the updated timeline.

but I do not think the issue I have is exactly the same because my Splunk servers and web browser (Firefox) are both in another time zone while I'm using this over Citrix XenApp. I get:

If you change the time zone of the current Splunk Web user to be different from the server time zone, you will not see the change ever despite waiting and refreshing.

I tested the web browser via the java console and it is most definitely in the same time zone as the Splunk servers which is a different time zone from the user, and the user has set their time zone to the time zone they are in. The log files are parsed so the time zone matches the log entry and it also matches the time zone Splunk Web is in and the user is in. Only the timeline time zone is off and it is the time zone of the Splunk servers and the web browser.

This Splunk installation is under the control of our PaaS provider, so I can't modify it or open a bug report.

0 Karma

woodcock
Esteemed Legend

I believe you are misunderstanding how the user's timezone normalization works.

On the Events tab, find the Raw/List/Table link on your Search Head that is just under the timeline graph, just above the thin line that marks where the search results are shown, just to the right of the fields area, but still the farthest thing to the left on that line. Make sure it is set to List. This will add a column to your search results called Time which will show you each event's _time value formatted for the Time zone setting in your user profile. You may be confused because the timestamp shown inside the raw event text will never change and will always be exactly the way it was when the thing that generated it sent it to splunk. This setting also effects the way the Timepicker interprets relative times (e.g Yesterday).

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...