First off, this is my first submitted question as I am a new SPLUNK user...so not used to the whole world of SPLUNK yet.
Here's our issue, we have a need to indicate and account for events that are happening in certain time windows in a specific time zone.
For instance we want to calculate the average CPU utilization from 10 to 11 Central Time for the previous Day/Week/Month for use in a management report.
I created a calculated field that looks like this: PEAKHOUR = if((strftime(_time, "%a") ="Sat" or strftime(_time, "%a") ="Sun"),"NO",if(tonumber(strftime(_time, "%H"))>=10,if(tonumber(strftime(_time, "%H"))<11,"YES","NO"),"NO"))
and we include it in a dashboard which we select using a drop down, previous day/week/month and then filter for PEAKHOUR in our search like this: index=performance_stats PEAKHOUR="YES" | blah blah blah | table HIGHCPU, AVERAGECPU
The issue we currently have is if someone in Eastern time runs it, they end up looking at a time window an hour before 10 - 11 Central and someone in Pacific time sees events for 2 hours after that window. It would seem that SPLUNK is adjusting the calculated field to local time before doing the check for the correct hour...we need it to always check to see if it's 10 to 11 Central.
I was thinking that we need to convert the event time to epoch time and then check for the time window (Would Daylight Savings affect things??)...thought I would ask here before I go that route in case I'm missing something obvious.
Thanks!
... View more