Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Convert from epoch returns wrong timezone?

peterson_wwt
New Member
‎03-28-2019 02:35 PM

Epoch/Unix times are always in UTC.

When I use convert to create a human readable time, the timezone ( %Z ) is somehow incorrect for some sourcetypes but correct for others.

I realize the timezone on those sourcetypes may be incorrect, but then the epoch time should reflect that.

example 

 <base search>
| stats latest(_time) as latest_epoch earliest(_time) as earliest_epoch by sourcetype
| convert timeformat="%x %X %Z" ctime(latest_epoch) AS latest_human
| convert timeformat="%x %X %Z" ctime(earliest_epoch) AS earliest_human

This results in 

   sourcetype      latest_epoch      earliest_epoch    earliest_human            latest_human
1  sourcetypeA     1553733248.762    1553718850.771    03/27/19 14:34:10 MDT     03/27/19 18:34:08 MDT
2  sourcetypeB     1553733250        1553733250        03/27/19 18:34:10 MDT     03/27/19 18:34:10 MDT
3  sourcetypeC     1553733253        1553733253        03/27/19 18:34:13 MDT     03/27/19 18:34:13 MDT
4  sourcetypeD     1553733250        1553718190.756    03/27/19 14:23:10 MDT     03/27/19 18:34:10 MDT
5  sourcetypeE     1553733250        1553733250        03/27/19 18:34:10 MDT     03/27/19 18:34:10 MDT

As you can see rows 2,3 & 5 are correct. Rows 1 and 4 are not. However all rows have essentially the same epoch time.

Epoch time is always in GMT, so why is it being converted to two different timezones yet also claiming to be MDT.

What gives?

Tags (3)
0 Karma
Reply

wmyersas
Builder
‎10-17-2019 12:40 PM

What makes you think the timezones are wrong?

Lines 1 & 4 have an earliest epoch time ~15000 seconds (or about 4.25 hours) earlier than their latest epoch time:

1  sourcetypeA     1553733248.762    1553718850.771       03/27/19 14:34:10 MDT     03/27/19 18:34:08 MDT
4  sourcetypeD     1553733250        1553718190.756       03/27/19 14:23:10 MDT     03/27/19 18:34:10 MDT

Those seem to be perfectly fine to me.

Sidebar - hadn't run into anyone using convert before: I've always used | eval timefield=strftime(epochfield,"<format>") (and most often use "%c" as my time formatter)

0 Karma
Reply
Get Updates on the Splunk Community!

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...
Top