Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to convert date and time in UTC to EST?

nravichandran
Communicator
‎12-21-2016 01:28 PM

How to convert the DateTime in UTC to EST? I have the time value as 20161221211100.

Thank you in advance.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

niketn
Legend
‎12-23-2016 09:53 AM

You can try strptime time specifiers and add a timezone (%z is for timezone as HourMinute format HHMM for example -0500 is for US Eastern Standard Time and %Z for timezone acronym for example EST is for US Eastern Standard Time.). However final result displayed will be based on Splunk Server time or User Settings. So if that suffices your need, instead of changing the timezone of the extracted field, you can modify the same through Logged in user's Account Settings in Splunk.

https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Commontimeformatvariables

Option 1
| makeresults | eval Time="20161222221600" | eval TimeZone=Time+" -500"| eval FormatTime=strftime(strptime(TimeZone,"%Y%m%d%H%M%S %z"),"%Y/%m/%d %H:%M:%S %z") |

Option 2
| makeresults | eval Time="20161222221600" | eval TimeZone=Time+" -EST"| eval FormatTime=strftime(strptime(TimeZone,"%Y%m%d%H%M%S %Z"),"%Y/%m/%d %H:%M:%S %Z") |

Option 3
Account Settings in Splunk to change Global Timezone to EST.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

Reply
Solved! Jump to solution
Solution

niketn
Legend
‎12-23-2016 09:53 AM

You can try strptime time specifiers and add a timezone (%z is for timezone as HourMinute format HHMM for example -0500 is for US Eastern Standard Time and %Z for timezone acronym for example EST is for US Eastern Standard Time.). However final result displayed will be based on Splunk Server time or User Settings. So if that suffices your need, instead of changing the timezone of the extracted field, you can modify the same through Logged in user's Account Settings in Splunk.

https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Commontimeformatvariables

Option 1
| makeresults | eval Time="20161222221600" | eval TimeZone=Time+" -500"| eval FormatTime=strftime(strptime(TimeZone,"%Y%m%d%H%M%S %z"),"%Y/%m/%d %H:%M:%S %z") |

Option 2
| makeresults | eval Time="20161222221600" | eval TimeZone=Time+" -EST"| eval FormatTime=strftime(strptime(TimeZone,"%Y%m%d%H%M%S %Z"),"%Y/%m/%d %H:%M:%S %Z") |

Option 3
Account Settings in Splunk to change Global Timezone to EST.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Reply
Solved! Jump to solution

nravichandran
Communicator
‎01-03-2017 02:31 PM

No, I want to convert a field value logged as UTC to EST at search time. For example following is the log information:

Time: 12/22/16 5:42:00.000 PM
Last_accessed_at: 20161222221600 ( I want to convert to EST)

Reply
Solved! Jump to solution

niketn
Legend
‎01-04-2017 01:19 AM

You sample time does not have UTC identifier, so if you are seeing timezone in search in UTC that implies your Splunk server is running at UTC time or else your logged in User Account is set to UTC.

If you change logged in User Account settings to EST you will see FormatTime in EST while the TimeZone time is in GMT. Can you please run the following search in your Splunk Search and confirm the results for TimeZone and FormatTime?

| makeresults 
| eval Time="20161222091100" 
| eval TimeZone=Time+" GMT"
| eval FormatTime=strftime(strptime(TimeZone,"%Y%m%d%H%M%S %Z"),"%Y/%m/%d %H:%M:%S %Z")
| table TimeZone FormatTime
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

Vidi
Engager
‎07-02-2020 07:23 AM

I tried this but seems this is not working.

I want to convert BST to EST please.

| eval BST=strftime(TransactTime/1000000000, "%d/%m/%y %H:%M:%S %Z" )
| eval TimeZone=BST+" -EST"
| eval ET=strftime(strptime(TimeZone,"%d/%m/%y %H:%M:%S %Z"),"%d/%m/%y %H:%M:%S %Z")
| table BST, ET

0 Karma
Reply
Solved! Jump to solution

nravichandran
Communicator
‎01-04-2017 12:35 PM

FormatTime - 2016/12/22 04:11:00 EST
TimeZone - 20161222091100 GMT

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎01-04-2017 12:38 PM

Is this not what you want? 09:11:00 GMT converted to 04:11:00 EST?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

nravichandran
Communicator
‎01-05-2017 06:37 AM

Exactly! Thank you!

0 Karma
Reply
Solved! Jump to solution

nkwong_splunk
Splunk Employee
Splunk Employee
‎12-22-2016 12:14 AM

Are you trying to display the timestamp from UTC to EST in the Splunk Web interface when a user performs a search? If so, you can adjust the timezone setting for a user's search results by adjusting their user settings.

https://docs.splunk.com/Documentation/Splunk/6.5.1/Data/Applytimezoneoffsetstotimestamps#Set_the_tim...

0 Karma
Reply
Solved! Jump to solution

nravichandran
Communicator
‎12-22-2016 02:50 PM

No, I want to convert a field value logged as UTC to EST. For example following is the log information:

Time: 12/22/16 5:42:00.000 PM
Last_accessed_at: 20161222221600 ( I want to convert to EST)

Thank you!

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...