topic Display time in UTC in Getting Data In

Display time in UTC

rtkelly — Mon, 27 Feb 2012 22:17:52 GMT

We are trying to run a report that groups data by the UTC date of events occur. Our Heavy forwarders collect the data from different regions and correctly set the TZ field according to the time fields from the source data. We can tell that this is correct, because the value of the _time field is the epoch time of the events in UTC.

When we run the report, we use strftime(_time, "%Y-%m-%d") to get the date that the event occurred. The problem is that this appears to be reporting the date according to the local representation of the indexer. We know this, because if we add %z to the time format it shows different timezones for each indexer. If we add a map function like "stats" to the command prior to computing the strftime we get the timezone of the search head.

What we want to do is to create a string that represent the UTC date of the event regardless of what timezone the indexer or search head is running on. Since this is a very common scenario for us, is there a configuration setting or search function that can ensure that UTC time is used to render the date?

Re: Display time in UTC

lguinn2 — Mon, 27 Feb 2012 22:40:08 GMT

One way is to set the timezone on your indexers and search heads to UTC. Do this in the OS, and Splunk will render the timezone in UTC by default.

In Splunk 4.3, each user can choose their own timezone for viewing the data/reports/etc. Go to Manager » Access controls » Users to set this for users, or to Manager » Your account to set the timezone for yourself.

Note that Splunk always stores the data in UTC in the index, but displays it according to the indexer's TZ or the users's TZ.

Re: Display time in UTC

rtkelly — Mon, 27 Feb 2012 23:05:08 GMT

Thanks. We were thinking about switching all the servers to run in UTC time. We were also thinnking of upgraing to 4.3 soon. We'd like to run the scheduled searches from app context. Would there be a preferred timezone for an app?

Re: Display time in UTC

lguinn2 — Mon, 27 Feb 2012 23:08:00 GMT

No you can't set timezone by app - sorry. I think it's great if you can have all your servers in UTC - it simplifies management from the OS across the whole software stack. But that's just a personal preference.

Re: Display time in UTC

landen99 — Wed, 28 Jan 2015 18:35:22 GMT

I think that splunk needs a search line command to override the time zone settings in the client for that search, much like "earliest" and "latest" overrides the UI time settings for the search.

Re: Display time in UTC

asieira — Fri, 07 Apr 2017 18:07:58 GMT

I was faced with the same problem recently and I solved it by writing the following macro:

[strftime_utc(2)]
args = field, format
definition = "strftime($field$ - (strptime(strftime($field$, \"%Y-%m-%dT%H:%M:%SZ\"), \"%Y-%m-%dT%H:%M:%S%Z\")-strptime(strftime($field$, \"%Y-%m-%dT%H:%M:%S\"), \"%Y-%m-%dT%H:%M:%S\")), \"$format$\")"
iseval = 1

So you can now write a search that looks like this:

index=main | eval utc_time=`strftime_utc(_time, "%Y-%m-%dT%H:%M:%SZ")`

Regardless of what the timezone is on each event, this will cause the output to be in UTC.

Thanks to @richgalloway for the initial suggestion that lead to this.

Re: Display time in UTC

bhatti009 — Fri, 23 Jul 2021 19:09:10 GMT

Little late but you can try

... | eval offset=strftime(_time,"%z") | eval _time=_time-(offset*36)

Re: Display time in UTC

abhinav_go — Tue, 18 Jun 2024 10:59:46 GMT

@asieira I tried this query but not working for me and getting Error in 'eval' command: The expression is malformed. An unexpected character is reached at `\"%Y-%m-%dT%H:%M:%SZ\"), \`

same macro:

[strftime_utc(2)]
args = field, format
definition = strftime($field$ - (strptime(strftime($field$, \"%Y-%m-%dT%H:%M:%SZ\"), \"%Y-%m-%dT%H:%M:%S%Z\")-strptime(strftime($field$, \"%Y-%m-%dT%H:%M:%S\"), \"%Y-%m-%dT%H:%M:%S\")), \"$format$\")

and now my search looks like:

*My query* | eval utc_time=`strftime_utc(_time, "%Y-%m-%dT%H:%M:%SZ")`