Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Convert from epoch returns wrong timezone?

peterson_wwt
New Member
‎03-28-2019 02:35 PM

Epoch/Unix times are always in UTC.

When I use convert to create a human readable time, the timezone ( %Z ) is somehow incorrect for some sourcetypes but correct for others.

I realize the timezone on those sourcetypes may be incorrect, but then the epoch time should reflect that.

example 

 <base search>
| stats latest(_time) as latest_epoch earliest(_time) as earliest_epoch by sourcetype
| convert timeformat="%x %X %Z" ctime(latest_epoch) AS latest_human
| convert timeformat="%x %X %Z" ctime(earliest_epoch) AS earliest_human

This results in 

   sourcetype      latest_epoch      earliest_epoch    earliest_human            latest_human
1  sourcetypeA     1553733248.762    1553718850.771    03/27/19 14:34:10 MDT     03/27/19 18:34:08 MDT
2  sourcetypeB     1553733250        1553733250        03/27/19 18:34:10 MDT     03/27/19 18:34:10 MDT
3  sourcetypeC     1553733253        1553733253        03/27/19 18:34:13 MDT     03/27/19 18:34:13 MDT
4  sourcetypeD     1553733250        1553718190.756    03/27/19 14:23:10 MDT     03/27/19 18:34:10 MDT
5  sourcetypeE     1553733250        1553733250        03/27/19 18:34:10 MDT     03/27/19 18:34:10 MDT

As you can see rows 2,3 & 5 are correct. Rows 1 and 4 are not. However all rows have essentially the same epoch time.

Epoch time is always in GMT, so why is it being converted to two different timezones yet also claiming to be MDT.

What gives?

Tags (3)
0 Karma
Reply

wmyersas
Builder
‎10-17-2019 12:40 PM

What makes you think the timezones are wrong?

Lines 1 & 4 have an earliest epoch time ~15000 seconds (or about 4.25 hours) earlier than their latest epoch time:

1  sourcetypeA     1553733248.762    1553718850.771       03/27/19 14:34:10 MDT     03/27/19 18:34:08 MDT
4  sourcetypeD     1553733250        1553718190.756       03/27/19 14:23:10 MDT     03/27/19 18:34:10 MDT

Those seem to be perfectly fine to me.

Sidebar - hadn't run into anyone using convert before: I've always used | eval timefield=strftime(epochfield,"<format>") (and most often use "%c" as my time formatter)

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

As software delivery cycles continue to accelerate, observability shouldn’t be a luxury — it should be a ...

Monitoring AI Agents with Splunk Observability Cloud

Let’s say I’m running a travel planning AI app in production. A user asks for three concise hotel options in ...