topic Re: How can you adjust timezone in search? Convert UTC to AEST in Splunk Search

How can you adjust timezone in search? Convert UTC to AEST

ebs — Mon, 26 Jul 2021 01:20:19 GMT

Hi, I have a field value 2021-07-26T00:30:51.411 UTC which I got from | eval strftime(_time,"%Y-%m-%dT%H:%M:%S.%Q %Z") how can I turn this field into the Brisbane timezone (+10 hrs)?

Re: How can you adjust timezone in search? Convert UTC to AEST

venkatasri — Mon, 26 Jul 2021 02:42:18 GMT

Hi @ebs

If you are already under Brisbane timezone under user settings, and above said timestamp is mapped _time then your _time value is by default get adjusted to AEST isn't that you are after?

otherwise if time is a field not mapped to _time then a 10 hour shall be added to it.

Re: How can you adjust timezone in search? Convert UTC to AEST

ebs — Mon, 26 Jul 2021 22:48:39 GMT

Hi @venkatasri

Thanks for the answer but sadly this won't work for my use case as I'm using tstats and datamodels and even when my personal timezone is set to Brisbane the time of events is still in UTC. So it needs to be through SPL

Re: How can you adjust timezone in search? Convert UTC to AEST

venkatasri — Mon, 26 Jul 2021 23:21:07 GMT

Hi @ebs

User settings should have been fine could be the way _time been extracted ignored TZ settings. You can try this as an alternative.

| makeresults | eval _time="2021-07-26T00:30:51.411 UTC" | eval _time=strptime(_time." +1000", "%Y-%m-%dT%H:%M:%S.%3Q %Z") | convert ctime(_time)

---

An upvote would be appreciated and Accept solution if this reply helps!

Re: How can you adjust timezone in search? Convert UTC to AEST

ebs — Tue, 27 Jul 2021 04:20:15 GMT

How can I apply this to a pre existing _time field value?

Re: How can you adjust timezone in search? Convert UTC to AEST

venkatasri — Tue, 27 Jul 2021 04:30:18 GMT

@ebs Above SPL replaces _time at search-time but not permanent to indexers.