Re: Running scheduled searches in other timezones

kaeleyt · ‎08-27-2020

Hi all,

My team is embarking on the Summary Indexing journey as our environment is getting larger. We have various tenants in our environment that wish for their daily summary data to be synced up from midnight to midnight of various time zones (GMT, Pacific Time, Central, etc.). I have my personal account set to Pacific time.

We had been told the best way to ensure that you have no data overlap/gaps with summary indexing is to use the snap-to feature (the @d) syntax using the earliest and latest time modifiers.
Ex: [base search here] earliest=-1d@d latest=@d.... | [rest of search here]

What I'm trying to figure out is if we have one tenant that wants us to run their summary searches from midnight to midnight GMT and another tenant that wants us to run their summary searches from midnight to midnight PST for example, what is the best way to approach that?

isoutamo · ‎08-27-2020

If you are configuring those saved searches via GUI, then you could try to change you TZ (+ logout - log in) before add schedule for that particular time zone. If this is not working then you must manually define those schedules and use last 24hours instead of one day for time periods.

r. Ismo

Running scheduled searches in other timezones

Archived Metrics Now Available for APAC and EMEA realms

Detecting Remote Code Executions With the Splunk Threat Research Team

Enter the Dashboard Challenge and Watch the .conf24 Global Broadcast!