Is there a way to display the full timezone and not just the abbreviation? The SPL I am currently using is:
| eval zone=strftime(time(),"%Z %z")
However this just gives me the abbreviation (i.e. "AEST +1000"). I would like it to display "Australian Eastern Standard Time +1000".
You can also scrape things like wikipedia and make your own lookups with apps like these:
https://splunkbase.splunk.com/app/4146/
https://splunkbase.splunk.com/app/3226/
https://splunkbase.splunk.com/app/635/
Hi @georgiawebber
I am the Community Content Specialist for Splunk Answers. If any of the answers worked for you please go ahead and accept it, if not let the community know if you need more clarification.
Thanks
Oops! Sorry I forgot I had this question out there. Have now accepted!
If it's consistently like in your question, here's a run anywhere example that everytime the zone field start with "AEST", it will replace it with "Australian Eastern Standard Time".
| makeresults
| eval zone=strftime(time(),"%Z %z")
| rex mode=sed field=zone "s/^(AEST)/Australian Eastern Standard Time/"
The makeresults command is simply to get it to work as an example, but what you need after your eval statement, is the third line.
@georgiawebber Did this solution work for you? Did you need to clarify your question? Please remember to accept the answer that helped, or clarify your question/comment on the answers that are close.
You can also scrape things like wikipedia and make your own lookups with apps like these:
https://splunkbase.splunk.com/app/4146/
https://splunkbase.splunk.com/app/3226/
https://splunkbase.splunk.com/app/635/
These Q&A links should give you what you need (be sure to UpVote
the answers that help):
https://answers.splunk.com/answers/590067/how-do-i-map-my-personally-tz-adjusted-time-to-ano.html
https://answers.splunk.com/answers/127193/where-are-splunk-valid-tz-options-in-propsconf.html