Getting Data In
Highlighted

How to convert date and time in UTC to EST?

Communicator

How to convert the DateTime in UTC to EST? I have the time value as 20161221211100.

Thank you in advance.

0 Karma
Highlighted

Re: How to convert date and time in UTC to EST?

Splunk Employee
Splunk Employee

Are you trying to display the timestamp from UTC to EST in the Splunk Web interface when a user performs a search? If so, you can adjust the timezone setting for a user's search results by adjusting their user settings.

https://docs.splunk.com/Documentation/Splunk/6.5.1/Data/Applytimezoneoffsetstotimestamps#Set_the_tim...

0 Karma
Highlighted

Re: How to convert date and time in UTC to EST?

Communicator

No, I want to convert a field value logged as UTC to EST. For example following is the log information:

Time: 12/22/16 5:42:00.000 PM
Lastaccessedat: 20161222221600 ( I want to convert to EST)

Thank you!

0 Karma
Highlighted

Re: How to convert date and time in UTC to EST?

Legend

You can try strptime time specifiers and add a timezone (%z is for timezone as HourMinute format HHMM for example -0500 is for US Eastern Standard Time and %Z for timezone acronym for example EST is for US Eastern Standard Time.). However final result displayed will be based on Splunk Server time or User Settings. So if that suffices your need, instead of changing the timezone of the extracted field, you can modify the same through Logged in user's Account Settings in Splunk.

https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Commontimeformatvariables

Option 1
| makeresults | eval Time="20161222221600" | eval TimeZone=Time+" -500"| eval FormatTime=strftime(strptime(TimeZone,"%Y%m%d%H%M%S %z"),"%Y/%m/%d %H:%M:%S %z") |

Option 2
| makeresults | eval Time="20161222221600" | eval TimeZone=Time+" -EST"| eval FormatTime=strftime(strptime(TimeZone,"%Y%m%d%H%M%S %Z"),"%Y/%m/%d %H:%M:%S %Z") |

Option 3
Account Settings in Splunk to change Global Timezone to EST.




| eval message="Happy Splunking!!!"


View solution in original post

Highlighted

Re: How to convert date and time in UTC to EST?

Communicator

No, I want to convert a field value logged as UTC to EST at search time. For example following is the log information:

Time: 12/22/16 5:42:00.000 PM
Lastaccessedat: 20161222221600 ( I want to convert to EST)

Highlighted

Re: How to convert date and time in UTC to EST?

Legend

You sample time does not have UTC identifier, so if you are seeing timezone in search in UTC that implies your Splunk server is running at UTC time or else your logged in User Account is set to UTC.

If you change logged in User Account settings to EST you will see FormatTime in EST while the TimeZone time is in GMT. Can you please run the following search in your Splunk Search and confirm the results for TimeZone and FormatTime?

| makeresults 
| eval Time="20161222091100" 
| eval TimeZone=Time+" GMT"
| eval FormatTime=strftime(strptime(TimeZone,"%Y%m%d%H%M%S %Z"),"%Y/%m/%d %H:%M:%S %Z")
| table TimeZone FormatTime



| eval message="Happy Splunking!!!"


0 Karma
Highlighted

Re: How to convert date and time in UTC to EST?

Communicator

FormatTime - 2016/12/22 04:11:00 EST
TimeZone - 20161222091100 GMT

0 Karma
Highlighted

Re: How to convert date and time in UTC to EST?

Legend

Is this not what you want? 09:11:00 GMT converted to 04:11:00 EST?




| eval message="Happy Splunking!!!"


0 Karma
Highlighted

Re: How to convert date and time in UTC to EST?

Communicator

Exactly! Thank you!

0 Karma
Highlighted

Re: How to convert date and time in UTC to EST?

Engager

I tried this but seems this is not working.

I want to convert BST to EST please.

| eval BST=strftime(TransactTime/1000000000, "%d/%m/%y %H:%M:%S %Z" )
| eval TimeZone=BST+" -EST"
| eval ET=strftime(strptime(TimeZone,"%d/%m/%y %H:%M:%S %Z"),"%d/%m/%y %H:%M:%S %Z")
| table BST, ET

0 Karma