Splunk Search

mktime not picking up timezone information (Zulu/UTC, aka "Z")

shawnce
Engager

I have stream of events being generated by software running on customers systems (aka "endpoint") that are sent into our backend ultimately to be indexed by splunk. Each event contains at least one timestamp in it that we want to convert at search time to be usable as a time for things like bucketing, etc. These timestamps aren't pickup at index time (purposely for now).

The timestamps are in the following format: "2014-04-03T19:14:19.00200Z" (timezone is Zulu or UTC)

I am attempting to use the following to convert the ev_time field into a time that can later be used to bucket, etc. events based on time reported by an "endpoint".

index=myindex | convert timeformat="%FT%T.%5N%Z" mktime(ev_time) | fieldformat ev_time=strftime(ev_time, "%F %T.%3N %Z") | bucket ev_time span=1h | ...etc

This is working fine however the timezone isn't being picked up as UTC but instead is defaulting to PDT/PST (server & source type default timezone). This results in things being time shift forward by the difference between UTC and PDT/PST.

Is "Z" not picked up as UTC by mktime (aka by way of %Z)? Do we have to use "UTC" at the timezone qualifier in the timestamps?

Tags (3)
0 Karma
1 Solution

martin_mueller
SplunkTrust
SplunkTrust

It seems to work for me though - running this search:

| stats count | eval ev_time = "2014-04-03T19:14:19.00200Z" | eval converted_time_1 = ev_time | convert timeformat="%FT%T.%5N%Z" mktime(converted_time_1) | eval converted_time_2 = strftime(converted_time_1, "%F %T.%3N %Z")

gives me a converted_time_2 of 9:14PM in my server's timezone, which is UTC+2. The epoch timestamp in converted_time_1 of 1396552459.002 correctly resolves to 7:14PM UTC.

View solution in original post

martin_mueller
SplunkTrust
SplunkTrust

It seems to work for me though - running this search:

| stats count | eval ev_time = "2014-04-03T19:14:19.00200Z" | eval converted_time_1 = ev_time | convert timeformat="%FT%T.%5N%Z" mktime(converted_time_1) | eval converted_time_2 = strftime(converted_time_1, "%F %T.%3N %Z")

gives me a converted_time_2 of 9:14PM in my server's timezone, which is UTC+2. The epoch timestamp in converted_time_1 of 1396552459.002 correctly resolves to 7:14PM UTC.

martin_mueller
SplunkTrust
SplunkTrust

No worries - to ease future debugging, you may want to take a look at the Search Exploder view shipped with SideviewUtils: http://apps.splunk.com/app/1486/

0 Karma

shawnce
Engager

Yeah so it looks like it working...

... | convert timeformat="%FT%T.%6N%Z" mktime(ev_time) AS ev_time2 | fieldformat ev_time3=strftime(ev_time2, "%F %T.%3N %Z") | table _time, ev_time, ev_time2, ev_time3

2014-04-03 14:35:18 2014-04-03T*21:35:03.47100Z 1396560903.47100 2014-04-03 **14*:35:03.471 PDT

...and testing another way it also works...

... | eval ev_time_org =ev_time | convert timeformat="%FT%T.%5N%Z" mktime(ev_time) | fieldformat ev_time=strftime(ev_time, "%F %T.%3N %Z") | table _time, ev_time, ev_time_org

2014-04-03 14:37:52 2014-04-03 14:37:14.583 PDT 2014-04-03T*21*:37:14.58300Z

Sorry all not sure why it appeared to be failing for me in early tests.

0 Karma

shawnce
Engager

Huh yeah... running your example on our system it looks to pick up the timezone correctly. ...off to double check my original attempts at indexed events

converted_time_1 1396552459.00200
converted_time_2 2014-04-03 12:14:19.002 PDT
ev_time 2014-04-03T19:14:19.00200Z

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Based on the Splunk's zoneinfo database (http://en.wikipedia.org/wiki/List_of_zoneinfo_timezones), 'Z' is not listed as a Timezone value (to be identified by '%Z'). If you can change/replace the zone name from 'Z' to UTC or GMT or Zulu, that can work.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...