Splunk Search

How to get different results for strptime on different laptops?

skomaravelli
Engager

I've to run a count difference for a query over a period of time. For example. I need the difference of counts for my search between 9:00 PM -10:00 PM today and yesterday. Timewrap is an option but timewrap needs to search for the entire day and I only need counts for that specific time. So I have used an approach to use the $job.earlietTime$ $job.latestTime$ and subtract 86400 seconds form the for my second search. The approach works fine but when the same dashboard is opened from a system in a different country the time difference varies. I have extracted the timezone in the strp function as well. Below is the sample dashboard which explains my problem.

<form>
  <label>Dashboard Time Picker Display Earliest and Latest</label>
  <search>
    <query>| makeresults</query>
    <earliest>$tokTime.earliest$</earliest>
    <latest>$tokTime.latest$</latest>
    <done>
      <eval token="eartime">strptime($job.earliestTime$,"%Y-%m-%dT%T.%3N:z")-86400</eval>
      <eval token="lattime">strptime($job.latestTime$,"%Y-%m-%dT%T.%3N:z")-86400</eval>
      <eval token="eartime_ws">$job.earliestTime$</eval>
      <eval token="lattime_ws">$job.latestTime$</eval>
    </done>
  </search>
  <fieldset submitButton="false"></fieldset>
  <row>
    <panel>
      <input type="time" token="tokTime">
        <label></label>
        <default>
          <earliest>1513591200</earliest>
          <latest>1513598400</latest>
        </default>
      </input>
      <html>
         Date and time choosen $eartime_ws$             AND              $lattime_ws$ &lt;br/&gt;</br>
         Date and time 1 day later $eartime$       AND     $lattime$
       </html> 
      <table>
        <search>
          <query>|table t</query>
          <earliest>$eartime$</earliest>
          <latest>$lattime$</latest>
        </search>
      </table>
    </panel>
  </row>
</form>

Values for eartime and lattime are different when opened from US and India. both of the splunk users have set timezone to PST in splunk account settings. I've tried to change the default time zone on my machine and checked but that doesn't have an effect at this time.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...