Reporting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk Dashboard Report Timezone Issue

477450
Explorer
‎08-21-2015 04:34 AM

All our servers (Splunk Indexer, Search Head and applications/universal forwarders) are in CST time zone.
In Splunk UI, we have set the timezone as EST.
Now, we have created a Splunk saved report for last 4 weeks (-4w@w to @w).
Also, we have accelerated this report.
When we run the report directly or via Open in Search, we get data 7/19/15 12:00:00.000 AM EST to 8/16/15 12:00:00.000 AM EST.
Then, we added the report to existing multi-panel dashboard (not as inline search) but as direct report.
However, now we get different values in panel.
We found the reason, when we clicked on magnify glass "Open in Search" below in panel in dashboard.
Reason, this panel runs between 7/19/15 01:00:00.000 AM EST to 8/16/15 01:00:00.000 AM EST
Why would this occur?
Thanks in advance 🙂

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

frobinson_splun
Splunk Employee
Splunk Employee
‎08-26-2015 01:35 PM

Hi again, @477450,
I wanted to let you know that our engineering team has identified this issue as a bug to fix.

There may be a way to work around the problem for now, by adjusting settings in props.conf. In particular, take a look at the timezone configuration settings. It sounds like the report scheduling that you set up for 12 midnight EST is being interpreted as midnight CST, causing it to capture data one hour later, at 1am EST. Perhaps ensuring that this is set to EST would help?

I'm not sure what version of the software you are using, but here is the props.conf spec file in our documentation:
http://docs.splunk.com/Documentation/Splunk/6.2.5/Admin/Propsconf

Some other resources that you might find helpful:
http://docs.splunk.com/Documentation/Splunk/6.1.3/Data/ApplyTimezoneOffsetsToTimeStamps
http://answers.splunk.com/answers/170285/one-dashboard-with-multiple-timezones.html

View solution in original post

Reply
Solved! Jump to solution

delink
Communicator
‎03-30-2016 06:06 AM

I am seeing this issue with the Cisco Security App's Firewall Overview panel on the current version of Splunk Cloud as well. Is there an ETA on when this bug might be fixed? Thanks!

0 Karma
Reply
Solved! Jump to solution
Solution

frobinson_splun
Splunk Employee
Splunk Employee
‎08-26-2015 01:35 PM

Hi again, @477450,
I wanted to let you know that our engineering team has identified this issue as a bug to fix.

There may be a way to work around the problem for now, by adjusting settings in props.conf. In particular, take a look at the timezone configuration settings. It sounds like the report scheduling that you set up for 12 midnight EST is being interpreted as midnight CST, causing it to capture data one hour later, at 1am EST. Perhaps ensuring that this is set to EST would help?

I'm not sure what version of the software you are using, but here is the props.conf spec file in our documentation:
http://docs.splunk.com/Documentation/Splunk/6.2.5/Admin/Propsconf

Some other resources that you might find helpful:
http://docs.splunk.com/Documentation/Splunk/6.1.3/Data/ApplyTimezoneOffsetsToTimeStamps
http://answers.splunk.com/answers/170285/one-dashboard-with-multiple-timezones.html

Reply
Solved! Jump to solution

frobinson_splun
Splunk Employee
Splunk Employee
‎08-21-2015 09:06 AM

Hi @477450,
I'm a tech writer here at Splunk and I'd like to help with this. I am looking in to your question currently. I'm checking to see how time zones and/or the cron scheduling and handling for the report might be contributing to the issue you noticed. I'll report back with more information ASAP!

Please feel free to post further questions or feedback here in the meantime.

Best,
@frobinson_splunk

0 Karma
Reply
Solved! Jump to solution

477450
Explorer
‎08-28-2015 02:46 AM

Hi thanks for the update
we are using splunk version 6.2.0

0 Karma
Reply
Solved! Jump to solution

frobinson_splun
Splunk Employee
Splunk Employee
‎08-28-2015 10:53 AM

Great--thank you for this info! I will pass it along to the engineer working on the bug.

All the best,
@frobinson_splunk

0 Karma
Reply
Solved! Jump to solution

frobinson_splun
Splunk Employee
Splunk Employee
‎08-21-2015 09:13 AM

Can I ask what version of the software you are using? Thanks for any details!

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...