Solved: How to convert GMT to EDT?

davidcraven02 · ‎04-10-2018

How could I convert this GMT time to EDT?

index="wineventlog" host=opdc* Account_Name=*test_user EventCode=4624 
| makemv Account_Name
| mvexpand Account_Name
| eval day=strftime(_time, "%d-%m-%y") 
| join type=left src_ip 
    [ search index=ad source=addnsscan earliest=-12h@h latest=now 
    | rename data as src_ip, name as hostname
    | fields src_ip, hostname] 
| stats earliest(_time) AS earliest by Account_Name, src_ip, hostname, day 
| eval earliest=strftime(earliest,"%d/%m/%Y %H.%M.%S %Z")

alt text

somesoni2 · ‎04-10-2018

Give this a try
Updated

index="wineventlog" host=opdc* Account_Name=*test_user EventCode=4624 
 | makemv Account_Name
 | mvexpand Account_Name
 | eval day=strftime(_time, "%d-%m-%y") 
 | join type=left src_ip 
     [ search index=ad source=addnsscan earliest=-12h@h latest=now 
     | rename data as src_ip, name as hostname
     | fields src_ip, hostname] 
 | stats earliest(_time) AS earliest by Account_Name, src_ip, hostname, day 
| eval offset=strptime("00:00Z","%H:%M%Z")-strptime("00:00EDT","%H:%M%Z")
 | eval earliest=strftime(earliest+offset,"%d/%m/%Y %H.%M.%S %Z")
| fields - offset

View solution in original post

somesoni2 · ‎04-10-2018

Give this a try
Updated

index="wineventlog" host=opdc* Account_Name=*test_user EventCode=4624 
 | makemv Account_Name
 | mvexpand Account_Name
 | eval day=strftime(_time, "%d-%m-%y") 
 | join type=left src_ip 
     [ search index=ad source=addnsscan earliest=-12h@h latest=now 
     | rename data as src_ip, name as hostname
     | fields src_ip, hostname] 
 | stats earliest(_time) AS earliest by Account_Name, src_ip, hostname, day 
| eval offset=strptime("00:00Z","%H:%M%Z")-strptime("00:00EDT","%H:%M%Z")
 | eval earliest=strftime(earliest+offset,"%d/%m/%Y %H.%M.%S %Z")
| fields - offset

davidcraven02 · ‎04-10-2018

Thank you for this but the earliest field is blank.

somesoni2 · ‎04-10-2018

Try the updated answer. Fixed a typo in first strptime in eval for offset.

davidcraven02 · ‎04-10-2018

Perfect thank you!!

How to convert GMT to EDT?

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

Splunk Answers Content Calendar, July Edition I

Are you a member of the Splunk Community?

How to convert GMT to EDT?

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

Splunk Answers Content Calendar, July Edition I