https://community.splunk.com/t5/Getting-Data-In/Convert-time-to-another-timezone-then-remove-timezone-identifier/m-p/357575#M65294 <P>You can use below configuration in props.conf on Search head. In below configuration <CODE>field1</CODE> contains actual timestamp and it will create new field with name <CODE>new_field</CODE> </P> <PRE><CODE>[yoursourcetype] EVAL-new_field = strftime(strptime(field1,"%Y-%m-%dT%H:%M:%SZ")+28800,"%Y-%m-%d") </CODE></PRE> <P>EDIT: You need to repeat same config for 23 times so something like this</P> <PRE><CODE>[yoursourcetype] EVAL-new_field1 = strftime(strptime(field1,"%Y-%m-%dT%H:%M:%SZ")+28800,"%Y-%m-%d") EVAL-new_field2 = strftime(strptime(field2,"%Y-%m-%dT%H:%M:%SZ")+28800,"%Y-%m-%d") ......... ......... EVAL-new_field23 = strftime(strptime(field23,"%Y-%m-%dT%H:%M:%SZ")+28800,"%Y-%m-%d") </CODE></PRE> Wed, 27 Dec 2017 08:20:02 GMT harsmarvania57 2017-12-27T08:20:02Z https://community.splunk.com/t5/Getting-Data-In/Convert-time-to-another-timezone-then-remove-timezone-identifier/m-p/357571#M65290 <P>So I have multiple fields that have time value that looks like this.</P> <PRE><CODE>2017-10-05T16:00:00Z </CODE></PRE> <P>What I want is to convert it to GMT+8 then remove the extra parts and retain just the date instead using props.conf</P> <PRE><CODE>2017-10-06 </CODE></PRE> <P>10-5 UTC converted to GMT+8 is 10-6</P> Wed, 27 Dec 2017 06:50:11 GMT https://community.splunk.com/t5/Getting-Data-In/Convert-time-to-another-timezone-then-remove-timezone-identifier/m-p/357571#M65290 michaelrosello 2017-12-27T06:50:11Z https://community.splunk.com/t5/Getting-Data-In/Convert-time-to-another-timezone-then-remove-timezone-identifier/m-p/357572#M65291 <P>Hi,</P> <P>Can you please try below sample query (First line is used to generate dummy data)</P> <PRE><CODE>| makeresults | eval field1="2017-10-05T16:00:00Z" | eval new_field=strftime(strptime(field1,"%Y-%m-%dT%H:%M:%SZ")+28800,"%Y-%m-%d") </CODE></PRE> <P>I have created above query for single field only, if you have multiple field then you need to repeat for each field.</P> Wed, 27 Dec 2017 07:16:45 GMT https://community.splunk.com/t5/Getting-Data-In/Convert-time-to-another-timezone-then-remove-timezone-identifier/m-p/357572#M65291 harsmarvania57 2017-12-27T07:16:45Z https://community.splunk.com/t5/Getting-Data-In/Convert-time-to-another-timezone-then-remove-timezone-identifier/m-p/357573#M65292 <P>It work but I'm trying looking at using props.conf as there is 23 fields to be exact that I need to convert.</P> Wed, 27 Dec 2017 07:20:08 GMT https://community.splunk.com/t5/Getting-Data-In/Convert-time-to-another-timezone-then-remove-timezone-identifier/m-p/357573#M65292 michaelrosello 2017-12-27T07:20:08Z https://community.splunk.com/t5/Getting-Data-In/Convert-time-to-another-timezone-then-remove-timezone-identifier/m-p/357574#M65293 <P>Hi michaelrosello,</P> <P>Please check below link. It will help you.<BR /> <A href="https://answers.splunk.com/answers/320021/how-do-i-set-timezone-properly-in-propsconf.html">https://answers.splunk.com/answers/320021/how-do-i-set-timezone-properly-in-propsconf.html</A></P> Wed, 27 Dec 2017 07:45:46 GMT https://community.splunk.com/t5/Getting-Data-In/Convert-time-to-another-timezone-then-remove-timezone-identifier/m-p/357574#M65293 abhijeet01 2017-12-27T07:45:46Z https://community.splunk.com/t5/Getting-Data-In/Convert-time-to-another-timezone-then-remove-timezone-identifier/m-p/357575#M65294 <P>You can use below configuration in props.conf on Search head. In below configuration <CODE>field1</CODE> contains actual timestamp and it will create new field with name <CODE>new_field</CODE> </P> <PRE><CODE>[yoursourcetype] EVAL-new_field = strftime(strptime(field1,"%Y-%m-%dT%H:%M:%SZ")+28800,"%Y-%m-%d") </CODE></PRE> <P>EDIT: You need to repeat same config for 23 times so something like this</P> <PRE><CODE>[yoursourcetype] EVAL-new_field1 = strftime(strptime(field1,"%Y-%m-%dT%H:%M:%SZ")+28800,"%Y-%m-%d") EVAL-new_field2 = strftime(strptime(field2,"%Y-%m-%dT%H:%M:%SZ")+28800,"%Y-%m-%d") ......... ......... EVAL-new_field23 = strftime(strptime(field23,"%Y-%m-%dT%H:%M:%SZ")+28800,"%Y-%m-%d") </CODE></PRE> Wed, 27 Dec 2017 08:20:02 GMT https://community.splunk.com/t5/Getting-Data-In/Convert-time-to-another-timezone-then-remove-timezone-identifier/m-p/357575#M65294 harsmarvania57 2017-12-27T08:20:02Z