I am in a X time zone which can be any time zone. The splunk indexers are in EST time zone. I want to search all the events from the current time since the midnight in the EST time zone.
Question is how do I specify the time range using time modifier. If I use latest=now and earliest=@d in my search query , the @d is the midnight time of my current time zone and not the EST timezone.
How do I create a time range for search query which says "Give me the events since midnight in EST to current time in EST".
Note: This query should run irrespective of the timezone of the user running it. Basically we want to search the events in EST being in a diff time zone.
subsearch like this:
Your Foundational Search Here [|makeresults | eval TZ="EST" | addinfo | eval info_max_time = if(info_max_time=="+Infinity", now(), info_max_time) | eval earliest=strptime(strftime(info_min_time, "%Y/%m/%dT%H:%M:%S") . " " . TZ, "%Y/%m/%dT%H:%M:%S %Z") | eval latest=strptime(strftime(info_max_time, "%Y/%m/%dT%H:%M:%S") . " " . TZ, "%Y/%m/%dT%H:%M:%S %Z") | table earliest latest | format "" "" "" "" "" "" | rex field=search mode=sed "s/\"//g"]
This search takes the
Timepicker's values and translates them to a
TZ="EST"-adjust string with
earliest= ... latest= ... clause that will override the
Timepicker. Your best bet is to take the
subsearch and create a macro called
timepickerTZ(1) and use it that way.
I'm based in AEST time zone so the time difference between AEST and EST is 14 hours.
Any event that happens at midnight EST occurs at 1400 hours AEST.
So say its 1800 in AEST and I want to search for logs from midnight EST for last 24 hours, then in my search I would set the time modifier as follows:
latest = -4h@h ### this would reset it to 1400 hours AEST, which is midnight EST
earliest = -28h@h ### taking into the account the 4 hour shift from latest
if you had to go for last 7 days, then the time parameters would be:
latest = -4h@h
earliest = -7d@-4h
Note: for this to work, make sure you've set your timezone to your local time.
The time range would definitely work but the point is if I take this query and search being in a different TZ other than AEST, this would fail because we specify the start and end time offset based on the TZ we are in(AEST in your case).
Is there a way to make it TZ agnostic, meaning I would take the latest=now and then derive the earliest as earliest = (12 AM midnight time in EST w.r.t current time i. e now). Meaning if the current time in EST is say 06-03-2020 09:00 AM then my query would run from 06-03-2020 12 AM EST to 06-03-2020 09:00 AM EST.
So how do I calculate or specify the snap time 06-03-2020 12:00 AM EST in the query. All I have is the current time with as input.
If there is a way to do this then irrespective of the TZ user is in , the query would always search in the EST time range.
I did some search and saw these potential alternatives. Unsure if they are what you're looking for
I'm not across any other alternative. Please share if you find the solution
I need to specify 12 am midnight EST time snap time at the earliest time modifier field in search query.
So if the current time in EST is 09-03-2020 3:45 AM then I want to specify 09-03-2020 12 AM time in my search query as part of time range.
Yes so that's what I am trying to avoid. I want a query that would always search in the EST TZ no matter where the user is. I want to make the query generic so that i don't have to offset the timerange based on my TZ. Because the query time range would keep on changing based on the user TZ.