Solved: How do I convert "2022-11-01T23:56:07UTC" into MET...

vgrote · ‎11-02-2022

Hi,

I searched a lot and found no answer.

I have data with the above timestamp and I want to convert it into local time.

 extract="year, month, day, hour, minute, second, zone"

with

(\d{4})-(\d{2})-(\d{2})T(\d{2}):(\d{2}):(\d{2})(\S+)\s+

works OK when time zone is given in the form of "+0000", yet not with "UTC".

Is there something like "litzone" available?

Thanks in advance

Volkmar

vgrote · ‎11-03-2022

Thanks, Rich, for the swift reply. I realised that my problem statement was not correct, "convert ... into MET" is misleading. "At input time, honour a given time zone and do not assume local time" would have been slightly better.

My problem is that there are different data formats in that input file, some UTC, some local time. Splunk converts all from local time into UTC for storage. Therefore I want Splunk to honour a time zone if present. Otherwise processing them later together and with data from other sources becomes a bit complicated.

However, either my tests yesterday were wrong or some plug has been pulled, yet it seems to work as expected now:

2022-11-02T16:32:01+0300 UTC Test -> 02/11/2022 14:32:01.000
2022-11-02T16:32:02-0400 UTC Test -> 02/11/2022 21:32:02.000
2022-11-02T16:32:03-0000 UTC Test -> 02/11/2022 17:32:03.000
2022-11-02T16:32:040100 UTC Test -> 03/11/2022 08:31:41.000 = time of data entry (CET/+0100)
2022-11-02T16:32:05CET Test -> 02/11/2022 16:32:05.000
2022-11-02T16:32:06DUMMY Test -> 03/11/2022 08:51:38.000 = time of data entry (CET/+0100)
2022-11-02T16:32:07GMT Test -> 02/11/2022 17:32:07.000
2022-11-02T16:32:08UTC Test -> 02/11/2022 17:32:08.000

All's well that ends well!

Volkmar

View solution in original post

richgalloway · ‎11-02-2022

Splunk provides the strptime function for converting timestamps. Splunk will store the converted time in UTC and convert it to the user's preferred time zone when displayed.

| eval TS=strptime(<field>, "%Y-%m-%dT%H:%M:%S%Z"

Your regex should work with both "UTC" and "+0000". I had better results by omitting the trailing (and redundant) "\s+". However, datetime.xml does not and cannot convert between time zones. Like the strptime function, it's purpose is to convert a date-time string into its internal representation. Local time zone conversion is handled at display time.

---
If this reply helps you, Karma would be appreciated.

vgrote · ‎11-03-2022

Thanks, Rich, for the swift reply. I realised that my problem statement was not correct, "convert ... into MET" is misleading. "At input time, honour a given time zone and do not assume local time" would have been slightly better.

My problem is that there are different data formats in that input file, some UTC, some local time. Splunk converts all from local time into UTC for storage. Therefore I want Splunk to honour a time zone if present. Otherwise processing them later together and with data from other sources becomes a bit complicated.

However, either my tests yesterday were wrong or some plug has been pulled, yet it seems to work as expected now:

2022-11-02T16:32:01+0300 UTC Test -> 02/11/2022 14:32:01.000
2022-11-02T16:32:02-0400 UTC Test -> 02/11/2022 21:32:02.000
2022-11-02T16:32:03-0000 UTC Test -> 02/11/2022 17:32:03.000
2022-11-02T16:32:040100 UTC Test -> 03/11/2022 08:31:41.000 = time of data entry (CET/+0100)
2022-11-02T16:32:05CET Test -> 02/11/2022 16:32:05.000
2022-11-02T16:32:06DUMMY Test -> 03/11/2022 08:51:38.000 = time of data entry (CET/+0100)
2022-11-02T16:32:07GMT Test -> 02/11/2022 17:32:07.000
2022-11-02T16:32:08UTC Test -> 02/11/2022 17:32:08.000

All's well that ends well!

Volkmar

How do I convert "2022-11-01T23:56:07UTC" into MET in datetime.xml?

field extraction

time

XML

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?