https://community.splunk.com/t5/Splunk-Search/Splunk-function-or-query-which-will-convert-event-timestamp/m-p/592500#M206221 <P>The <STRONG>_time</STRONG> field is stored as a unix timestamp (number of seconds since so-called "epoch") and is rendered in webui according to the timezone defined in user's preferences. There is no way to set another timezone within a search.</P><P>If you want to parse another field from the event (which is most likely represented in some string form), you should use strptime() to convert from that string to timestamp and then use fieldformat (preferably) or eval with strftime to convert this timestamp to a string.</P><P>And again - splunk always shows the timestamp in user's timezone but can parse and interpret a timezone if it's included in the date string. Otherwise it parses the datetime string as if it was in local time.</P><P>For example - if I'm located in CEST, the string "5.04.2022 18:57:00", if I call strptime with proper format string will get interpreted as 18:57 CEST. But if the string says "5.04.2022 18:57:00PDT" and I tell splunk to use the timezone definition, it will get parsed as PDT time even though my local timezone is CEST. But if I call strftime on both timestamps, they will be both rendered in CEST, regardless of what timezone the initial string contained.</P> Tue, 05 Apr 2022 16:59:30 GMT PickleRick 2022-04-05T16:59:30Z https://community.splunk.com/t5/Splunk-Search/Splunk-function-or-query-which-will-convert-event-timestamp/m-p/592492#M206218 <P>Looking splunk function or query to change timestamp of&nbsp; <STRONG>"_time"</STRONG> field in local timestamp.</P><P>when we present statistical table of data with time field then that time field value should converted to local time irrespective of location where query are getting executed.</P><P>EX:-</P><TABLE width="1053"><TBODY><TR><TD width="64.45px">time</TD><TD width="794px">Message ID</TD><TD width="226.462px">Sender</TD><TD width="215.425px">Recipient</TD><TD width="70.825px">Subject</TD><TD width="105.188px">MessageSize</TD><TD width="139.5px">AttachmentName</TD><TD width="148.962px">dAttachmentName</TD><TD width="94.65px">FilterAction</TD><TD width="129.562px">FinalRule</TD><TD width="69.2px">TLS Version</TD></TR><TR><TD width="64.45px">4/5/22 9:01</TD><TD width="794px">&lt;DM5P102MB0126B6CF54A6B2F44B6F6BF295E49@DM5P102MB0126.NAMP102.PROD.OUTLOOK.COM&gt;</TD><TD width="226.462px">Darren_Collishaw@amat.com</TD><TD width="215.425px">tobycollishaw@hotmail.com</TD><TD width="70.825px">Courses - Youtube</TD><TD width="105.188px">15201</TD><TD width="139.5px"><P>text.txt text.html</P></TD><TD width="148.962px">&nbsp;</TD><TD width="94.65px">continue</TD><TD width="129.562px">outbound_clean</TD><TD width="69.2px">TLSv1.2</TD></TR></TBODY></TABLE><P>&nbsp;</P><P><STRONG>"timestamp"</STRONG> column&nbsp; in above example should get changed according to local time zone when we execute query.</P> Tue, 05 Apr 2022 16:27:17 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-function-or-query-which-will-convert-event-timestamp/m-p/592492#M206218 Abhineet 2022-04-05T16:27:17Z https://community.splunk.com/t5/Splunk-Search/Splunk-function-or-query-which-will-convert-event-timestamp/m-p/592500#M206221 <P>The <STRONG>_time</STRONG> field is stored as a unix timestamp (number of seconds since so-called "epoch") and is rendered in webui according to the timezone defined in user's preferences. There is no way to set another timezone within a search.</P><P>If you want to parse another field from the event (which is most likely represented in some string form), you should use strptime() to convert from that string to timestamp and then use fieldformat (preferably) or eval with strftime to convert this timestamp to a string.</P><P>And again - splunk always shows the timestamp in user's timezone but can parse and interpret a timezone if it's included in the date string. Otherwise it parses the datetime string as if it was in local time.</P><P>For example - if I'm located in CEST, the string "5.04.2022 18:57:00", if I call strptime with proper format string will get interpreted as 18:57 CEST. But if the string says "5.04.2022 18:57:00PDT" and I tell splunk to use the timezone definition, it will get parsed as PDT time even though my local timezone is CEST. But if I call strftime on both timestamps, they will be both rendered in CEST, regardless of what timezone the initial string contained.</P> Tue, 05 Apr 2022 16:59:30 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-function-or-query-which-will-convert-event-timestamp/m-p/592500#M206221 PickleRick 2022-04-05T16:59:30Z