Splunk IT Service Intelligence

How to specify midnight time in EST time using time modifier in a search query

sambit_kabi
Path Finder

I am in a X time zone which can be any time zone. The splunk indexers are in EST time zone. I want to search all the events from the current time since the midnight in the EST time zone.

Question is how do I specify the time range using time modifier. If I use latest=now and earliest=@d in my search query , the @d is the midnight time of my current time zone and not the EST timezone.

How do I create a time range for search query which says "Give me the events since midnight in EST to current time in EST".

Note: This query should run irrespective of the timezone of the user running it. Basically we want to search the events in EST being in a diff time zone.

Labels (2)

woodcock
Esteemed Legend

Use a subsearch like this:

Your Foundational Search Here [|makeresults
| eval TZ="EST"
| addinfo
| eval info_max_time = if(info_max_time=="+Infinity", now(), info_max_time)
| eval earliest=strptime(strftime(info_min_time, "%Y/%m/%dT%H:%M:%S") . " " . TZ, "%Y/%m/%dT%H:%M:%S %Z")
| eval latest=strptime(strftime(info_max_time, "%Y/%m/%dT%H:%M:%S") . " " . TZ, "%Y/%m/%dT%H:%M:%S %Z")
| table earliest latest
| format "" "" "" "" "" ""
| rex field=search mode=sed "s/\"//g"]

This search takes the Timepicker's values and translates them to a TZ="EST"-adjust string with earliest= ... latest= ... clause that will override the Timepicker. Your best bet is to take the subsearch and create a macro called timepickerTZ(1) and use it that way.

0 Karma

to4kawa
Ultra Champion

local TZ to EST

From time picker, you can do it.

0 Karma

anmolpatel
Builder

I'm based in AEST time zone so the time difference between AEST and EST is 14 hours.
Any event that happens at midnight EST occurs at 1400 hours AEST.

So say its 1800 in AEST and I want to search for logs from midnight EST for last 24 hours, then in my search I would set the time modifier as follows:
latest = -4h@h ### this would reset it to 1400 hours AEST, which is midnight EST
earliest = -28h@h ### taking into the account the 4 hour shift from latest

if you had to go for last 7 days, then the time parameters would be:
latest = -4h@h
earliest = -7d@-4h

Note: for this to work, make sure you've set your timezone to your local time.

0 Karma

sambit_kabi
Path Finder

The time range would definitely work but the point is if I take this query and search being in a different TZ other than AEST, this would fail because we specify the start and end time offset based on the TZ we are in(AEST in your case).

Is there a way to make it TZ agnostic, meaning I would take the latest=now and then derive the earliest as earliest = (12 AM midnight time in EST w.r.t current time i. e now). Meaning if the current time in EST is say 06-03-2020 09:00 AM then my query would run from 06-03-2020 12 AM EST to 06-03-2020 09:00 AM EST.

So how do I calculate or specify the snap time 06-03-2020 12:00 AM EST in the query. All I have is the current time with as input.

If there is a way to do this then irrespective of the TZ user is in , the query would always search in the EST time range.

0 Karma

anmolpatel
Builder

I did some search and saw these potential alternatives. Unsure if they are what you're looking for
https://answers.splunk.com/answers/590067/how-do-i-map-my-personally-tz-adjusted-time-to-ano.html#an...

https://answers.splunk.com/answers/4279/timezone-and-timestamp-modification-at-search-report-time.ht...

I'm not across any other alternative. Please share if you find the solution

0 Karma

to4kawa
Ultra Champion

list of time zone

which time zone do you want? I think 206 timezone is not needed all.

0 Karma

sambit_kabi
Path Finder

I need to specify 12 am midnight EST time snap time at the earliest time modifier field in search query.

So if the current time in EST is 09-03-2020 3:45 AM then I want to specify 09-03-2020 12 AM time in my search query as part of time range.

0 Karma

to4kawa
Ultra Champion
0 Karma

sambit_kabi
Path Finder

Yes so that's what I am trying to avoid. I want a query that would always search in the EST TZ no matter where the user is. I want to make the query generic so that i don't have to offset the timerange based on my TZ. Because the query time range would keep on changing based on the user TZ.

0 Karma

sjbriggs
Path Finder

Where did you end up with this?  I have a similar need in that I have dashboards that are regionally based around the globe and would prefer that someone viewing the dashboard from outside the location see the data based on that location's timezone.  For example, if an engineer were in Idaho and was working with an engineer in Australia on an Australia issue, they would be seeing charts displaying the same timezone rather than two different timezones.

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...