Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Convert GMT to CST timezone

ravir_jbp
Explorer
‎11-22-2023 03:44 AM

I am trying to conver the GMT time to CST time. I am able to get the desire data using below query. Now I am looking for query to convert GMT time to CST.

 

index=test AcdId="*" AgentId="*" AgentLogon="*" chg="*" seqTimestamp"*" currStateStart="*" currActCodeOid="*" currActStart="*" schedActCodeOid="*" schedActStart="*" nextActCodeOid="*" nextActStart="*" schedDate="*" adherenceStart="*" acdtimediff="*"
| eval seqTimestamp=replace(seqTimestamp,"^(.+)T(.+)Z$","\1 \2")
| eval currStateStart=replace(currStateStart,"^(.+)T(.+)Z$","\1 \2")
| eval currActStart=replace(currActStart,"^(.+)T(.+)Z$","\1 \2")
| eval schedActStart=replace(schedActStart,"^(.+)T(.+)Z$","\1 \2")
| eval nextActStart=replace(nextActStart,"^(.+)T(.+)Z$","\1 \2")
| eval adherenceStart=replace(adherenceStart,"^(.+)T(.+)Z$","\1 \2")
| table AcdId, AgentId, AgentLogon, chg, seqTimestamp,seqTimestamp1, currStateStart, currActCodeOid, currActStart, schedActCodeOid, schedActStart, nextActCodeOid, nextActStart, schedDate, adherenceStart, acdtimediff

Below are the results I am getting:

image.JPG

Tags (1)
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎11-22-2023 11:27 PM

To add to @ITWhisperer 's answer - Splunk processes timestamp as "unix timestamps" - integers containing number of seconds since epoch. As such, timestamp is "timezoneless", it's just rendered when needed into a string, possibly containing a timezone description. But timestamp is always (when rendered automatically by WebUI or explicitly when strftime is called) rendered in user's timezone (the one set in user's preferences).

So while with strptime you can read and apply the timezone offset from the string representation of a given point in time, strftime doesn't let you specify the timezone freely.

The only thing you can do is "cheat" a bit by manually adjusting the timezone with the offset to another timezone and render it in your local timezone but without displaying said timezone.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎11-22-2023 04:11 AM

You need to add (or subtract) the timezone offset from the times. To do this, you  should parse the time strings to epoch datetimes with strptime(), change the time appropriately, and then reformat them with strftime().

0 Karma
Reply

ravir_jbp
Explorer
‎11-22-2023 10:42 PM

Hello @ITWhisperer  can you give me one example on how to convert that

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎11-23-2023 01:08 AM 
| eval curActStart=strftime(strptime(curActStart,"%F %T.%S")+(60*60*5)+(60*30),"%F %T.%S")
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...