Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Timezones issues 1 site, 3 users in different timezones.

robertlynch2020
Motivator
‎06-27-2017 04:19 AM

Hi

I have 1 sight, but users in 3 timezone.
One in Dublin,Paris and Beirut. (Paris is one hour ahead of me).

I want all users to see 100% what is seen by the pairs users.

All the servers and forwarders are in Paris.
When i log in with a Paris user with CITRIX it all works fine, however when i log in with a Dublin user i am getting issues, time out by 1 hour when i do an action.

I am using a user with (Default system time) .
I have created a graph like below that maps out the events, when i hover over it i can see the start and end time of the event [16:10 - 16:17].
I have set up a drilldown that will drive another graph to display the logs that happened in that time zone.

So in my example, i click on PREPARE_TDS and it should drive the next graph with the time of $earliest$ & $latest$ however in Dublin it pushes the time to 17:10 and not 16:10. In Paris it works fine 16:10 is used. So the location of the Dublin user is causing an issues.

2 Questions
1) Is there a way to tell SPLUNK that all users should get the same data ignoring location. So in my case i want all users to see data on PARIS time as all the servers and forwarders are there.

2) If not for above, how do i fix it for the Dublin Users

alt text

  <viz type="timeline_app.timeline">
        <search>
          <query>eventtype=mlc sourcetype=lts_timings host=$host_token$ | eval duration_seconds=duration_seconds*1000 | eval task_name2=task_name | table _time task_name task_name2 duration_seconds | sort $Name_or_Duration2$ | rename task_name as Event_Name | rename task_name2 as Event_Name2 | search Event_Name=*$Task_Search$*</query>
          <earliest>$tps_selection.earliest$</earliest>
          <latest>$tps_selection.latest$</latest>
        </search>
        <option name="height">399</option>
        <option name="timeline_app.timeline.axisTimeFormat">SECONDS</option>
        <option name="timeline_app.timeline.colorMode">categorical</option>
        <option name="timeline_app.timeline.maxColor">#DA5C5C</option>
        <option name="timeline_app.timeline.minColor">#FFE8E8</option>
        <option name="timeline_app.timeline.numOfBins">6</option>
        <option name="timeline_app.timeline.tooltipTimeFormat">SECONDS</option>
        <option name="timeline_app.timeline.useColors">1</option>
        <drilldown>
          <set token="TEST_GANTT_VALUE">$row.Event_Name$</set>
          <set token="TEST_GANTT_start">$earliest$</set>
          <set token="TEST_GANTT_end">$latest$</set>

        </drilldown>
      </viz>

alt text

The search is the same from Paris or Dublin

So the question i have is, i am aware if i use eval function to set the time it will change the time, however in this case i am setting the data. I am unsure how to get the Dublin users to see what the Paris users are seeing.

Cheers 🙂

Preview file
1 KB
Preview file
1 KB
0 Karma
Reply

robertlynch2020
Motivator
‎06-27-2017 09:42 AM

I Have also tried to change my splunk/etc/apps/user-prefs/local/user-prefs.conf

However a user consultant logged in from Dublin is still converting time to + 1.

[default]
tz = Europe/Paris

[role_consultant]
default_namespace = murex_mlc
tz = Europe/Paris

[role_consultant_read]
default_namespace = murex_mlc
tz = Europe/Paris

0 Karma
Reply

robertlynch2020
Motivator
‎06-27-2017 04:29 AM

I also tried to set up epoc time, however the graph does not display it so i cant reference it. Unless there is a way to do that?

<viz type="timeline_app.timeline">
        <search>
          <query>eventtype=mlc sourcetype=lts_timings host=$host_token$ | eval duration_seconds=duration_seconds*1000 | eval task_name2=task_name  | eval Start_epoc=start  |  eval Stop_epoc=end | eval Start_epoc = strptime(Start_epoc,"%Y-%m-%d %H:%M:%S") | eval Stop_epoc = strptime(Stop_epoc,"%Y-%m-%d %H:%M:%S") | table _time task_name task_name2 duration_seconds Start_epoc Stop_epoc | sort $Name_or_Duration2$ | rename task_name as Event_Name | rename task_name2 as Event_Name2 | search Event_Name=*$Task_Search$*</query>
          <earliest>$tps_selection.earliest$</earliest>
          <latest>$tps_selection.latest$</latest>
        </search>
        <option name="height">399</option>
        <option name="timeline_app.timeline.axisTimeFormat">SECONDS</option>
        <option name="timeline_app.timeline.colorMode">categorical</option>
        <option name="timeline_app.timeline.maxColor">#DA5C5C</option>
        <option name="timeline_app.timeline.minColor">#FFE8E8</option>
        <option name="timeline_app.timeline.numOfBins">6</option>
        <option name="timeline_app.timeline.tooltipTimeFormat">SECONDS</option>
        <option name="timeline_app.timeline.useColors">1</option>
        <drilldown>
          <set token="TEST_GANTT_VALUE">$row.Event_Name$</set>
          <set token="TEST_GANTT_start">$row.Start_epoc$</set>
          <set token="TEST_GANTT_end">$row.Stop_epoc$</set>
        </drilldown>
      </viz>
0 Karma
Reply

cmerriman
Super Champion
‎06-27-2017 04:33 AM

have you tried to change the users TZ in the account settings to be Paris TZ?

0 Karma
Reply

robertlynch2020
Motivator
‎06-27-2017 04:58 AM

Hi

Yes, i have tried this. But no Luck. Paris display correctly but Dublin is still one hour + when i click the button.

Cheers anyway.

0 Karma
Reply

cmerriman
Super Champion
‎06-27-2017 05:10 AM

do you happen to have the date_zone in your data? i have similar needs for my own data but need to be able to see data in my own time zone as well as in local time zones at sites. i add this chunk of syntax right after my base search to shift _time. it may need to be tweaked to what you need it to do, but it's a start

| addinfo 
| convert mktime(dateTime) as epochDateTime timeformat="%Y-%m-%d %H:%M:%S.%6N %:z" 
| eval shifted_time=epochDateTime-(abs(date_zone)*60) 
| convert ctime(shifted_time) as shifted_time_epoch timeformat="%Y-%m-%d %H:%M:%S.%6N %:z" 
| eval offset=case(like(shifted_time_epoch,"%12:00") ,43200, like(shifted_time_epoch ,"%11:00"),39600, like(shifted_time_epoch,"%10:00"),36000, like(shifted_time_epoch,"%09:00"),32400, like(shifted_time_epoch,"%08:00"),28800, like(shifted_time_epoch,"%07:00"),25200, like(shifted_time_epoch,"%06:00"),21600, like(shifted_time_epoch,"%05:00"),18000, like(shifted_time_epoch,"%04:00"),14400, like(shifted_time_epoch,"%03:00"),10800, like(shifted_time_epoch,"%02:00"),7200, like(shifted_time_epoch,"%01:00"),3600, like(shifted_time_epoch,"%00:00"),0)
| eval _time=shifted_time+offset
0 Karma
Reply

robertlynch2020
Motivator
‎06-27-2017 09:43 AM

Hi

Thanks for this, however i was trying to get an answer on the system level and not have to add code into the configuration.

However it is looking like it is not possible.

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...