Splunk - Adding Timezone to dashboard panels

Troy Wollenslegel [email protected]

Do displaying timezones in Splunk get you agitated? When someone sends you a screen print or report that shows a huge spike in activity at 8:13am, do you really know it is 8:13am? What if the person sending it was in London, and you are in Atlanta? Was it 8:13am, or was it ~ really ~ 3:13am (which is 8:13 London time)? It is currently hard to know in Splunk.

This token usage makes it easier to share screen capture of dashboard panels so that a viewer understands what timezone the search is run from as to more easily understand when events happen. The timezone changes depending on the timezone the user has set in their preferences in Splunk.

Add the following <search> section as a base (hidden) search?

<form>

??<label>

??<search id="timezone_search">

????<query>

?|makeresults| eval zone= strftime(_time, "%Z") | table zone? </query>

????<done>

??????<set token="timezone">$result.zone$</set>

????</done>

??</search>

*** REST OF DASHBOARD XML ***         

Under custom X-Axis put the following value

timezone=$timezone$)        

This will add (timezone=XXX) to the bottom of a timechart. Feel free to change the text to fit your needs, it will show timezone as long as you include the $timezone$ token.

There, doesn't this look a lot better? Now you can be confident in sharing the image and people will know when it happened and not have to guess.

#splunk #timezone #splunktraining