Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Server and Web Browser are in another time zone from display on Citrix Xenapp client and timeline time zone is wrong no matter what the account timezone is set to

kstailey
Engager
‎12-10-2015 02:36 PM

There is (was?) SPL-46852

If you change the time zone of the current Splunk Web user to be different from the server time zone, you will not see the change take effect immediately. The retrieved events will be in the correct time zone but the timeline will not. Wait 30 seconds and reload the page to see the updated timeline.

but I do not think the issue I have is exactly the same because my Splunk servers and web browser (Firefox) are both in another time zone while I'm using this over Citrix XenApp. I get:

If you change the time zone of the current Splunk Web user to be different from the server time zone, you will not see the change ever despite waiting and refreshing.

I tested the web browser via the java console and it is most definitely in the same time zone as the Splunk servers which is a different time zone from the user, and the user has set their time zone to the time zone they are in. The log files are parsed so the time zone matches the log entry and it also matches the time zone Splunk Web is in and the user is in. Only the timeline time zone is off and it is the time zone of the Splunk servers and the web browser.

This Splunk installation is under the control of our PaaS provider, so I can't modify it or open a bug report.

0 Karma
Reply

woodcock
Esteemed Legend
‎12-10-2015 11:29 PM

I believe you are misunderstanding how the user's timezone normalization works.

On the Events tab, find the Raw/List/Table link on your Search Head that is just under the timeline graph, just above the thin line that marks where the search results are shown, just to the right of the fields area, but still the farthest thing to the left on that line. Make sure it is set to List. This will add a column to your search results called Time which will show you each event's _time value formatted for the Time zone setting in your user profile. You may be confused because the timestamp shown inside the raw event text will never change and will always be exactly the way it was when the thing that generated it sent it to splunk. This setting also effects the way the Timepicker interprets relative times (e.g Yesterday).

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...