Convert _time to different time zone while searchi...

santosh_sshanbh · ‎06-08-2018

I have a Splunk cloud instance getting data from multiple forwarders across globe from different time zone. I do have a heavy forwarder where I am converting the time to respective server time zone using below stanza in props.conf

[host::DSF-*]
TZ = America/Mexico_City

While viewing the dashboards, I want the data to be automatically converted into server time zone. One of the solution for this is to set the user time zone to server time zone. But this can not be done all the time as users have to see data for multiple servers at one time.

So what is the best way to convert the _time field to server time zone automatically while searching. I can maintain the lookup of host and its timezone.

logloganathan · ‎06-11-2018

Hi,

Please refer the answer. it must help you

https://answers.splunk.com/answers/320021/how-do-i-set-timezone-properly-in-propsconf.html

Thanks
Loganathan C

ansif · ‎06-11-2018

You can use strptime and strftime to convert timezone.

Get the lookup in the search and use CASE command to convert time to server timezone based on your server DNS name or something.

santosh_sshanbh · ‎06-12-2018

Can you please elaborate more on how to do this? I tried eval _time=strptime(strftime(_time,"%m/%d/%Y %H:%M:%S Asia/Bangkok"),"%m/%d/%Y %H:%M:%S %Z") after my base search but somehow I am not getting expected results.

May be the earliest and latest time is applied first before the _time is converted.

Convert _time to different time zone while searching

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!