Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- GeoJSON data has timezone expressed in minutes off...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
GeoJSON data has timezone expressed in minutes offset from UTC
Trying to consume some seismic data which input has a timestamp expressed in epoch time, but a timezone offset field expressed in
[-1200, +1200]
Description
Timezone offset from UTC in minutes at the event epicenter.
the offset above has no correlation with the known props.conf TIME_FORMAT's timezones
%z UTC offset in the form +HHMM
Was thinking about setting up a custom datetime.xml but couldn't find any "extract=" variable there meant to grab offsets,
couldn't find the python module which parses datetime.xml either
How should we approach this?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is this the format specification of the data you're working with?
If so then you don't need any translation as the time field is already milliseconds since the UTC epoch. The tz field can be used at search time to help group events based on the local time, but per the spec doesn't seem to be needed for parsing events into Splunk correctly.
You could use a props.conf setting to say TIME_FORMAT = %s%3N although this might change slightly (and deployment may change slightly) depending on if you're using INDEXED_EXTRACTIONS, and thus could specify the field that contains the time or not.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes acharlieh, wanted to help a colleague which came up with this question and got carried away with the redundant offset. epoch is UTC so already provides time trustability
Yep either setting this with a TIME_PREFIX and TIME_FORMAT combo or setting JSON INDEXED_EXTRACTIONS and TIMESTAMP_FIELDS = time
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You already have local epoch time.
Perhaps just add them together (or delta them, whichever works accurately) to calculate UTC epoch time.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks DalJeanis,
Think I jumped the gun when I saw the offset and thus got confused
If we already have epoch (meaning UTC), we already have the real time the event happened
Was concerned about getting _time correct during indexing but UTC already ensures that
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
... that makes more sense.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Announcing Modern Navigation: A New Era of Splunk User Experience
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...
