Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Eval to find current time in another timezone

BP9906
Builder
‎05-12-2014 03:50 PM

I'm familiar with strftime and starptime command and timezones, but cant seem to manipulate now() and convert to a known timezone. As an example now() returns in PDT timezone and I would like to convert now() to CST6CDT. I tried using eval to do a diff but it doesnt return the field. Any idea why?

| eval time_diff=strptime("CST6CDT", "%Z")

Tags (2)
0 Karma
Reply

arthurh
Engager
‎04-16-2017 08:29 AM

I needed to get the current time in UTC timezone:

 | eval utc_hourid=strftime(relative_time(now(),"+".(tonumber(strftime(now(),"%H"))-tonumber(strftime(strptime(strftime(now(),"%m/%d/%Y %H:%M:%S UTC"),"%m/%d/%Y %H:%M:%S %Z"),"%H")))."h"),"%m/%d/%Y %H:%M:%S")

You can probably turn this eval exp to get current time in any timezone, just replace "UTC" with the timezone you want. This work with daylight savings time

0 Karma
Reply

nekb1958
Path Finder
‎05-13-2014 12:24 AM

Hi MuS
great search, it inspired me to look a little closer and do it even more general (i wondered first why you eval´ed AKDT and CEST), with only one timeformat string 

index=_internal | head 1 | eval foo=relative_time(now(), "-90m@s" ) | eval boo=relative_time(now(), "+21m@s" ) | eval now=now() | convert timeformat="%d.%m.%y %H:%M:%S" ctime(now), ctime(foo), ctime(boo) | t
0 Karma
Reply

BP9906
Builder
‎05-13-2014 07:34 AM

Close but not quite: http://answers.splunk.com/answers/4528/finding-your-local-timezone-with-eval

0 Karma
Reply

BP9906
Builder
‎05-13-2014 07:33 AM

Thank you both for feedback. I also found another Splunk search that will convert the offset value (ie -0400) to relative time and then change it. This is almost what I'm looking for. The problem is that I have all our customer's timezones and I would like to create the alert based on their local business hours. So if the time is between these local business hours, send the alert. The timezone codes are all the standardized notation that Splunk (python) supports but it seems like trying to convert the timezone code to epoch time doesnt work.

0 Karma
Reply

MuS
Legend
‎05-12-2014 11:02 PM

Hi BP9906,

try this run everywhere command:

index=_internal | head 1 | eval AKDT="-8h" | eval CEST="+2h" | eval foo=relative_time(now(), AKDT ) | eval boo=relative_time(now(), CEST ) | eval foo=strftime(foo, "%Y-%m-%d %H:%M:%S.%3N" ) | eval boo=strftime(boo, "%Y-%m-%d %H:%M:%S.%3N" ) | table foo boo

the times for foo and boo are in AKDT (Alaska Daylight Time) and CEST (Central European Summer Time). As you can see I had to eval them first and then use them with relative_time.

To take this one step further, you could setup some automatic lookup containing all TZ and use them to do your time calculations.

hope this helps ...

cheers, MuS

Reply

martin_mueller
SplunkTrust
SplunkTrust
‎05-12-2014 04:12 PM

Might not be what you're looking for, but you can change the time zone your Splunk user is in to make Splunk display all times appropriately.

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...