https://community.splunk.com/t5/Splunk-Search/Convert-a-string-in-ISO-8601-to-local-time-zone-accounting-for/m-p/486747#M193727 <P>What do you mean "sample"? User preference isn't the issue -- I'm using the date to look up something in a lookup table.</P> Tue, 14 Jan 2020 13:00:21 GMT jkotula 2020-01-14T13:00:21Z https://community.splunk.com/t5/Splunk-Search/Convert-a-string-in-ISO-8601-to-local-time-zone-accounting-for/m-p/486744#M193724 <P>I have a string from a complex JSON event providing an ISO 8601 date/time in UTC. I want to convert it to the local time zone, in this case CST or CDT. The computer knows its timezone and keeps its clock adjusted, so the timezone info is in there somewhere. After hours of search I can find no way that Splunk can perform this simple operation. strptime() gets me half way there, but there is no general, portable way to do the appropriate timezone adjustment.</P> <P>This has nothing to do with the event timestamps! The timestamps I'm converting are different from those. All I'm looking for is simple date/time processing supported by virtually every programming language in existence...</P> Mon, 13 Jan 2020 20:51:40 GMT https://community.splunk.com/t5/Splunk-Search/Convert-a-string-in-ISO-8601-to-local-time-zone-accounting-for/m-p/486744#M193724 jkotula 2020-01-13T20:51:40Z https://community.splunk.com/t5/Splunk-Search/Convert-a-string-in-ISO-8601-to-local-time-zone-accounting-for/m-p/486745#M193725 <P><A href="https://docs.splunk.com/Documentation/Splunk/8.0.1/SearchReference/DateandTimeFunctions">DateandTimeFunctions</A></P> <P>what's your sample?</P> <P>user preference time zone is local?</P> Mon, 13 Jan 2020 21:29:08 GMT https://community.splunk.com/t5/Splunk-Search/Convert-a-string-in-ISO-8601-to-local-time-zone-accounting-for/m-p/486745#M193725 to4kawa 2020-01-13T21:29:08Z https://community.splunk.com/t5/Splunk-Search/Convert-a-string-in-ISO-8601-to-local-time-zone-accounting-for/m-p/486746#M193726 <P>I admit time zones are not my strong suit, but does this get you closer?</P> <PRE><CODE>| makeresults | eval UTCtime="2020-01-05T13:15:30Z" | fields - _time | eval epochTime=strptime(UTCtime,"%Y-%m-%dT%H:%M:%S.%Q") | eval mySecondsOffset=abs(tonumber(strftime(epochTime,"%:::z")))*60*60 | eval localTimestamp=strftime(epochTime-mySecondsOffset,"%Y-%m-%dT%H:%M:%S") </CODE></PRE> Mon, 13 Jan 2020 21:39:06 GMT https://community.splunk.com/t5/Splunk-Search/Convert-a-string-in-ISO-8601-to-local-time-zone-accounting-for/m-p/486746#M193726 jpolvino 2020-01-13T21:39:06Z https://community.splunk.com/t5/Splunk-Search/Convert-a-string-in-ISO-8601-to-local-time-zone-accounting-for/m-p/486747#M193727 <P>What do you mean "sample"? User preference isn't the issue -- I'm using the date to look up something in a lookup table.</P> Tue, 14 Jan 2020 13:00:21 GMT https://community.splunk.com/t5/Splunk-Search/Convert-a-string-in-ISO-8601-to-local-time-zone-accounting-for/m-p/486747#M193727 jkotula 2020-01-14T13:00:21Z https://community.splunk.com/t5/Splunk-Search/Convert-a-string-in-ISO-8601-to-local-time-zone-accounting-for/m-p/486748#M193728 <P>Not really. The whole problem is that I don't know the offset, particularly with DST.</P> Tue, 14 Jan 2020 13:01:23 GMT https://community.splunk.com/t5/Splunk-Search/Convert-a-string-in-ISO-8601-to-local-time-zone-accounting-for/m-p/486748#M193728 jkotula 2020-01-14T13:01:23Z https://community.splunk.com/t5/Splunk-Search/Convert-a-string-in-ISO-8601-to-local-time-zone-accounting-for/m-p/486749#M193729 <PRE><CODE>| makeresults | eval UTC_string="Mon Jul 13 09:30:00 2017 +0000" | eval UTC=strptime(UTC_string,"%c %z") | eval local_time=strftime(UTC,"%+") </CODE></PRE> <P>Hi @jkotula <BR /> There are the references.<BR /> <A href="https://docs.splunk.com/Documentation/Splunk/8.0.1/SearchReference/Commontimeformatvariables">Common time format variables</A><BR /><BR /> <A href="https://www.timeanddate.com/time/europe/">Daylight Saving Time and Time Zones in Europe</A><BR /> <A href="https://answers.splunk.com/answers/737581/does-tz-setting-account-for-daylight-savings-time.html">does-tz-setting-account-for-daylight-savings-time</A></P> <P><CODE>%z</CODE> is offset variables.</P> <P>Changing UNIX time to a time string will basically be local time.<BR /> Wouldn't it work if I passed the offset value to <CODE>strptime</CODE> according to the format, as in my example?</P> Tue, 14 Jan 2020 14:10:58 GMT https://community.splunk.com/t5/Splunk-Search/Convert-a-string-in-ISO-8601-to-local-time-zone-accounting-for/m-p/486749#M193729 to4kawa 2020-01-14T14:10:58Z https://community.splunk.com/t5/Splunk-Search/Convert-a-string-in-ISO-8601-to-local-time-zone-accounting-for/m-p/486750#M193730 <P>UTC format doesn't have the offset in all cases. In my case, I'm looking at JSON output generated by the Newtonsoft library in C#.</P> Tue, 14 Jan 2020 14:27:43 GMT https://community.splunk.com/t5/Splunk-Search/Convert-a-string-in-ISO-8601-to-local-time-zone-accounting-for/m-p/486750#M193730 jkotula 2020-01-14T14:27:43Z https://community.splunk.com/t5/Splunk-Search/Convert-a-string-in-ISO-8601-to-local-time-zone-accounting-for/m-p/486751#M193731 <PRE><CODE>| makeresults | eval json_time_text="2020-01-05T13:15:30" | eval time=strptime(json_time_text." +0000","%FT%T %z") | eval local_time=strftime(time,"%FT%T %z") </CODE></PRE> <P>Why don't you modify the time string when searching?</P> Tue, 14 Jan 2020 14:38:30 GMT https://community.splunk.com/t5/Splunk-Search/Convert-a-string-in-ISO-8601-to-local-time-zone-accounting-for/m-p/486751#M193731 to4kawa 2020-01-14T14:38:30Z https://community.splunk.com/t5/Splunk-Search/Convert-a-string-in-ISO-8601-to-local-time-zone-accounting-for/m-p/486752#M193732 <P>Because I don't know the timezone offset. That's the whole issue.</P> Tue, 14 Jan 2020 14:40:20 GMT https://community.splunk.com/t5/Splunk-Search/Convert-a-string-in-ISO-8601-to-local-time-zone-accounting-for/m-p/486752#M193732 jkotula 2020-01-14T14:40:20Z