Solved: need help in time conversion

jerinvarghese · ‎04-10-2020

Currently am having a code that converts the time value to a formatted way.

 | rename _time as Time_CST 
 | fieldformat Time_CST=strftime(Time_CST,"%x %X")

Raw timing format : 2020-04-10 15:28:30.333 (UTC)
After adding the fieldformat : 04/10/20 10:28:30 (CST)

all the timings are in UTC and CST zone
Please help me convert this to IST time zone.
How can i achieve it.

DalJeanis · ‎04-10-2020

If you only want the time formatted in your results, then all you have to do is know your local offset in hours and apply it to the stored UTC value before you format.

However, please please please get out of the habit of using a 2-digit year, and you will save yourself tons of headaches.

ISO standard is YYYY-MM-DD HH:MM:SS.QQQ.

If your personal time zone were set to UTC, then your answer should look like this -

 | eval Time_CST=strftime(_time-4*3600,"%Y-%m-%d %H:%M:%S.%3Q")
 | eval Time_IST=strftime(_time+5.5*3600,"%Y-%m-%d %H:%M:%S.%3Q")

If your personal TZ were set to CST, then you need to offset by the difference between the two time zones -

 | eval Time_CST=strftime(_time,"%Y-%m-%d %H:%M:%S.%3Q")
 | eval Time_IST=strftime(_time+9.5*3600,"%Y-%m-%d %H:%M:%S.%3Q")

View solution in original post

to4kawa · ‎04-13-2020

use relative_time

DalJeanis · ‎04-10-2020

If you only want the time formatted in your results, then all you have to do is know your local offset in hours and apply it to the stored UTC value before you format.

However, please please please get out of the habit of using a 2-digit year, and you will save yourself tons of headaches.

ISO standard is YYYY-MM-DD HH:MM:SS.QQQ.

If your personal time zone were set to UTC, then your answer should look like this -

 | eval Time_CST=strftime(_time-4*3600,"%Y-%m-%d %H:%M:%S.%3Q")
 | eval Time_IST=strftime(_time+5.5*3600,"%Y-%m-%d %H:%M:%S.%3Q")

If your personal TZ were set to CST, then you need to offset by the difference between the two time zones -

 | eval Time_CST=strftime(_time,"%Y-%m-%d %H:%M:%S.%3Q")
 | eval Time_IST=strftime(_time+9.5*3600,"%Y-%m-%d %H:%M:%S.%3Q")

jerinvarghese · ‎04-13-2020

the answer is correct, but i have a problem.
what i have to do during the Daylight saving time.

CUrrently : | eval Time_IST=strftime(_time+10.5*3600,"%d-%m-%Y %l:%M:%S %p")

its 10.5 Multiplication factor.

DalJeanis · ‎04-14-2020

Correct, you have the issue of daylight savings time, changing back and forth. There is another answer somewhere ... where u showed the method of setting it up automatically to change itself...

Ah, here it is. I haven't played with it in a long time, so test it thoroughly on different time frames to see whether it is appropriate to your need.

https://answers.splunk.com/answers/4279/timezone-and-timestamp-modification-at-search-report-time.ht...

richgalloway · ‎04-10-2020

Have you set your Splunk preferences to display times in IST?

---
If this reply helps you, Karma would be appreciated.

jerinvarghese · ‎04-13-2020

HI,

No, i dont have admin privilege to change anything in splunk.
Any other conversion method in terms of query

richgalloway · ‎04-13-2020

You don't need admin privilege to change your personal time zone setting. Click on your name at the top of the Splunk GUI and select Preferences.

---
If this reply helps you, Karma would be appreciated.

need help in time conversion

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!