All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How guarantee CUCM CDR Timestamps parsing in my timezone ?

radw62
Path Finder
‎07-15-2016 09:03 AM

Hello, How can I guarantee that Splunk parse the CUCM CDR Timestamps in my timezone (UTC -5) ? (As CUCM CDR raw timestamps come in UTC)

Regards.

Reply
1 Solution
Solved! Jump to solution
Solution

radw62
Path Finder
‎08-12-2016 06:01 AM

Hello, let me explain again my concern:

Suppose that I want to query all calls (initiated or terminated) on July , in my time zone (i.e UTC -5). How Splunk (or your app) could really query that calls in this time range in my time zone? Or where can I define correctly the time range (on my timezone) in my query ? (like CUCM CAR Tool or RTMT where both require that I define the time zone besides the time range for query calls).

Thanks and regards.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

radw62
Path Finder
‎08-12-2016 06:01 AM

Hello, let me explain again my concern:

Suppose that I want to query all calls (initiated or terminated) on July , in my time zone (i.e UTC -5). How Splunk (or your app) could really query that calls in this time range in my time zone? Or where can I define correctly the time range (on my timezone) in my query ? (like CUCM CAR Tool or RTMT where both require that I define the time zone besides the time range for query calls).

Thanks and regards.

0 Karma
Reply
Solved! Jump to solution

sideview
SplunkTrust
SplunkTrust
‎08-12-2016 08:49 AM

The Splunk framework itself will always interpret the timerange arguments within your search in the timezone that the Splunk server is located in. Likewise it displays times localized into that same timezone that the Splunk server is located in.
That is usually what people want. In rare cases it becomes necessary to override that behavior and that can be done in the conf.

So, to use your example here. If the Splunk server is installed on a host where the timezone is set to "GMT", all the timerange arguments of your searches and reports (eg 10/1/2015 16:00:00) will be interpreted within that TZ.

0 Karma
Reply
Solved! Jump to solution

radw62
Path Finder
‎07-29-2016 01:55 PM

Hello, thanks for your answers.

Yes, in fact, I installed "Cisco CDR Reporting and Analytics" app inside Splunk and I parsed the CDRs with it. However, I remained in doubt, if it really parsed the CDRs in my timezone (different from UTC), and I want to make sure of that, with the props.conf file or with something else within the CDR app.

Regards.

0 Karma
Reply
Solved! Jump to solution

sideview
SplunkTrust
SplunkTrust
‎07-29-2016 02:15 PM

That's great. OK well Callmanager CDR lists all timestamps in epochtime, and in that format there is no concept of any associated timezone nor is any needed, so there's kind of no way to get this part wrong.

To give an example, let's say callmanager says a call originated at 1469800000.
That one number is sufficient to completely determine the time, without any need for any associated timezone.

That epochtime value of "1469800000", if written out as a string, in GMT would be Fri, 29 Jul 2016 13:46:40 GMT
and in US Pacific time that same instant in time is 7/29/2016, 6:46:40 AM GMT-7:00 DST

Those strings need tz information to determine what time they're talking about, but epochtime timestamps don't.

0 Karma
Reply
Solved! Jump to solution

sideview
SplunkTrust
SplunkTrust
‎07-28-2016 05:20 PM

I think the Timezone part of this question is a bit of a red herring.
Callmanager CDR reports its timestamps in epochtime, which is often confused with UTC. UTC is technically a timezone, sort of like GMT without any Daylight Saving Time shenanigans. Epochtime on the other hand is simply the number of seconds since midnight on 1/1/1970 gmt. Despite the odd gmt reference there at the end, the number of seconds itself entirely determines the time, no TZ info is necessary or needed by Splunk.

As to how to display this time and date as a string, Splunk by default uses the timezone that it is located in. This can be changed in user-prefs.conf but it's not often done.

You might also take a look at the Splunk app "Cisco CDR Reporting and Analytics". Although it's not free, it is available as a free 90 day trial.

I'm certainly biased as it's owner and creator, but it enables a very wide range of reporting use cases on Callmanager CDR and you may find it very useful. ( http://sideviewapps.com/apps/cisco-cdr-reporting-and-analytics/ ) There are several timestamps in Callmanager CDR data and although dealing with them correctly isn't particularly difficult, it's one of many things that the app would handle for you.

0 Karma
Reply
Solved! Jump to solution

TStrauch
Communicator
‎07-15-2016 02:03 PM

Hi radw,

take a look at the props.conf documentation. There is a parameter called "TZ" you can set it for the sourcetype. Hope this will help you.

Kind regards

Reply
Get Updates on the Splunk Community!

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...