I understand it isn't supposed to be an exact location but from a users perspective there isn't THAT many large cities in Australia to compare it to the US (we literally have 7 major ones total.)
I would have thought splunk would have used the standard TZ list.
https://en.wikipedia.org/wiki/List_of_tz_database_time_zones
Most users and Australians in general are on our eastern side of the country. Melbourne, Sydney, Brisbane (12 million) vs Hobart (200k).
As such as have people that not know if Hobart has the same Daylight savings as all those 3 (hint, they don't), so it isn't clear to people that they are selecting the right thing, or not but choosing Hobart. Which is more of a big town than a city 😉
Remember, Splunk is a time series index so time is VERY important, almost the most important thing. Set in events and also via the UI. Getting it wrong changes the perspective of how the data is presented.
We've had numerous people keep asking. Should I be selecting Hobart? Where is Melbourne or Sydney? Its been an ongoing joke that it hasn't been updated in the past 5 years. It is very embarrassing when we have to tell managers this software we're paying $10's of millions for each year for can't have an official timezone included in it.
If it is deemed officially as too hard and the solution is "just use hobart" then that is fine. I'll just customize every search head to include the code fix myself.
... View more