- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- How to convert UTC to CST in SPL?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey Splunkers,
I am working on a search but I have encountered a road block in my search. I am attempting to change a UTC time zone to CST within the search. I was able to change the EPOCH times to CST but I am struggling to locate any documentation on how I can convert the UTC time to match the same as my CST results. I need to change my time to match the other time zones.
2022-08-31T21:04:52Z
needs to be converted to the same format as
08/31/2022 16:21:16
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
To convert x_device.last_seen , try this:
| rename x_device.last_seen as last_seen
| eval last_seen = strftime(strptime(last_seen, "%Y-%m-%dT%H:%M:%S%Z"), "%m/%d/%Y %H:%M:%S")
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you want to change the time in search you can try the following:
Add this below main search
|eval time_format=strftime(_time, "%Y-%m-%d %H:%M:%S")
|eval time_epoch=strptime(time_format, "%Y-%m-%d %H:%M:%S")
|eval time_cst=time_epoch-21600
|eval _time=strftime(time_cst, "%Y-%m-%d %H:%M:%S")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This a snippet from my current search
index="x_devices" AND falcon_device.hostname=myhost
| spath
| stats count, min(_time) as firstTime, max(_time) as lastTime, max(_indextime) as recentTime, BY x_device.hostname, x_device.last_seen
| fieldformat firstTime=strftime(firstTime,"%m/%d/%Y %H:%M:%S")
| fieldformat lastTime=strftime(lastTime,"%m/%d/%Y %H:%M:%S")
| fieldformat recentTime=strftime(recentTime,"%m/%d/%Y %H:%M:%S")
| fieldformat lastUpdated=strftime(lastUpdated,"%m/%d/%Y %H:%M:%S")
| fields + x_device.hostname, x_device.last_seen, firstTime, lastTime, recentTime, lastUpdated, timeElapsed, hash, timeElapsed
The x_device.last_seen field in the following format
2022-08-24T22:06:01ZI can seem to get x_devices.last_seen in an epoch format.
I am currently only trying to change that field since all of my other times are already in the correct format. It appears that I may need to make modifications to transforms.conf
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
To convert x_device.last_seen , try this:
| rename x_device.last_seen as last_seen
| eval last_seen = strftime(strptime(last_seen, "%Y-%m-%dT%H:%M:%S%Z"), "%m/%d/%Y %H:%M:%S")
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@richgalloway that worked!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
| stats count, min(_time) as firstTime, max(_time) as lastTime, max(_indextime) as recentTime, BY x_device.hostname, x_device.last_seen
|eval x_devices.last_seen=tostring(x_devices.last_seen)
|eval time_format=strftime( x_devices.last_seen, "%Y-%m-%d %H:%M:%S")
|eval time_epoch=strptime(time_format, "%Y-%m-%d %H:%M:%S")
|eval time_cst=time_epoch-21600
|eval x_devices.last_seen=strftime(time_cst, "%Y-%m-%d %H:%M:%S")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
|eval x_devices.last_seen=tostring(x_devices.last_seen)This is changing the value for "x_devices.last_seen" to NULL in the table. Is it possible that it is unable to convert it to a string?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try taking that part out and running everything below the eval to convert to string
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The short answer is: you can't.
Splunk will parse a timestamp from any time zone into UTC for internal storage. When that timestamp is displayed, however, it will always be in the user's chosen time zone.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am only wanting to change the time within this search and not on my indexers. If I understand your response correctly. There is zero way of converting the UTC time listed above into CST within the search. I do want to not I am not trying to change it across my indexers. Only within the search and dashboards.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Notice my answer did not mention indexers. Splunk does not provide a means for converting time zones in searches and dashboard, because it does so automatically to the user's selected time zone.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You are telling me that there is no way to convert
2022-08-24T22:06:01Zto an epoch format?
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
