All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do I convert timestamps to UTC from Pacific time (ISO 8601 format)?

orion44
Communicator
‎12-11-2018 03:14 PM

My Splunk indexer is operating in the Pacific time zone (can't be changed) and I need to output timestamps in a report to UTC. I currently convert the existing _time to ISO 8601 format time via:
eval mytime=strftime(_time,"%Y-%m-%dT%H:%M:%S%z")

How I can take it a step further to convert mytime into the UTC timezone?

Tags (1)
0 Karma
Reply

orion44
Communicator
‎12-20-2018 11:06 PM

I was able to convert the PT timestamps to UTC (time_utc) via the following eval:

eval time_splunk=strftime(_time, "%A, %B %e, %Y %l:%M:%S.%3Q %p %Z (%:z)") | eval time_offset=strftime(_time, "%:z") | rex field=time_offset ".(?<time_offset_seconds>\d{2}:\d{2})" | eval time_offset_seconds=time_offset_seconds.":00" | convert dur2sec(time_offset_seconds) | eval time_utc_epoch=strftime(_time, "%s") | convert num(time_utc_epoch) | eval time_utc_epoch=if(time_offset_seconds==0, time_utc_epoch, if(substr(time_offset, 1, 1)=="+", time_utc_epoch-time_offset_seconds, time_utc_epoch+time_offset_seconds)) | eval time_utc=strftime(time_utc_epoch, "%Y-%m-%dT%H:%M:%SZ")

0 Karma
Reply

whrg
Motivator
‎12-12-2018 12:21 AM

Hello @orion44,

First some clarification: When you index a log file, you need to make sure that the indexer/forwarder has the correct system time zone set. Also, you need to make sure that Splunk recognizes the time stamp of the log file. If the log file is not in local time and if the events' timestamps do not contain any time zone information, then the time zone can be manually set for certain log files via props.conf.
Events are then indexed and stored in epoch time (I believe), which is independant from any time zone.
Now when you run a Splunk search on the search head, events are displayed in the time zone set in the user preferences. The same applies for strftime().

I assume your user preferences are set to Pacific time. You could change that to GMT. However, that will affect all searches by your user.

Since _time is an epoch time object, you could try a simple hack like this:

eval mytime=strftime(_time+8*3600,"%Y-%m-%dT%H:%M:%S")

This will get you something like:

_time                 mytime
2018-12-12 00:19:26 2018-12-12T08:19:26
0 Karma
Reply

prakash007
Builder
‎12-11-2018 04:27 PM

You can define your timezone in your props.conf by sourcetype/source/host...this splunk doc should help..
http://docs.splunk.com/Documentation/Splunk/7.2.1/Data/Applytimezoneoffsetstotimestamps#How_Splunk_s...

0 Karma
Reply
Get Updates on the Splunk Community!

Updated Team Landing Page in Splunk Observability

We’re making some changes to the team landing page in Splunk Observability, based on your feedback. The ...

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Regardless of where you are in Splunk Observability, you can search for relevant APM targets including service ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...