Splunk IT Service Intelligence
Highlighted

How to specify midnight time in EST time using time modifier in a search query

Path Finder

I am in a X time zone which can be any time zone. The splunk indexers are in EST time zone. I want to search all the events from the current time since the midnight in the EST time zone.

Question is how do I specify the time range using time modifier. If I use latest=now and earliest=@d in my search query , the @d is the midnight time of my current time zone and not the EST timezone.

How do I create a time range for search query which says "Give me the events since midnight in EST to current time in EST".

Note: This query should run irrespective of the timezone of the user running it. Basically we want to search the events in EST being in a diff time zone.

Labels (2)
Highlighted

Re: How to specify midnight time in EST time using time modifier in a search query

Ultra Champion

list of time zone

which time zone do you want? I think 206 timezone is not needed all.

0 Karma
Highlighted

Re: How to specify midnight time in EST time using time modifier in a search query

Path Finder

I need to specify 12 am midnight EST time snap time at the earliest time modifier field in search query.

So if the current time in EST is 09-03-2020 3:45 AM then I want to specify 09-03-2020 12 AM time in my search query as part of time range.

0 Karma
Highlighted

Re: How to specify midnight time in EST time using time modifier in a search query

Ultra Champion
0 Karma
Highlighted

Re: How to specify midnight time in EST time using time modifier in a search query

Path Finder

Yes so that's what I am trying to avoid. I want a query that would always search in the EST TZ no matter where the user is. I want to make the query generic so that i don't have to offset the timerange based on my TZ. Because the query time range would keep on changing based on the user TZ.

0 Karma
Highlighted

Re: How to specify midnight time in EST time using time modifier in a search query

Builder

I'm based in AEST time zone so the time difference between AEST and EST is 14 hours.
Any event that happens at midnight EST occurs at 1400 hours AEST.

So say its 1800 in AEST and I want to search for logs from midnight EST for last 24 hours, then in my search I would set the time modifier as follows:
latest = -4h@h ### this would reset it to 1400 hours AEST, which is midnight EST
earliest = -28h@h ### taking into the account the 4 hour shift from latest

if you had to go for last 7 days, then the time parameters would be:
latest = -4h@h
earliest = -7d@-4h

Note: for this to work, make sure you've set your timezone to your local time.

0 Karma
Highlighted

Re: How to specify midnight time in EST time using time modifier in a search query

Path Finder

The time range would definitely work but the point is if I take this query and search being in a different TZ other than AEST, this would fail because we specify the start and end time offset based on the TZ we are in(AEST in your case).

Is there a way to make it TZ agnostic, meaning I would take the latest=now and then derive the earliest as earliest = (12 AM midnight time in EST w.r.t current time i. e now). Meaning if the current time in EST is say 06-03-2020 09:00 AM then my query would run from 06-03-2020 12 AM EST to 06-03-2020 09:00 AM EST.

So how do I calculate or specify the snap time 06-03-2020 12:00 AM EST in the query. All I have is the current time with as input.

If there is a way to do this then irrespective of the TZ user is in , the query would always search in the EST time range.

0 Karma
Highlighted

Re: How to specify midnight time in EST time using time modifier in a search query

Builder

I did some search and saw these potential alternatives. Unsure if they are what you're looking for
https://answers.splunk.com/answers/590067/how-do-i-map-my-personally-tz-adjusted-time-to-ano.html#an...

https://answers.splunk.com/answers/4279/timezone-and-timestamp-modification-at-search-report-time.ht...

I'm not across any other alternative. Please share if you find the solution

0 Karma
Highlighted

Re: How to specify midnight time in EST time using time modifier in a search query

Ultra Champion

local TZ to EST

From time picker, you can do it.

0 Karma
Highlighted

Re: How to specify midnight time in EST time using time modifier in a search query

Esteemed Legend

Use a subsearch like this:

Your Foundational Search Here [|makeresults
| eval TZ="EST"
| addinfo
| eval info_max_time = if(info_max_time=="+Infinity", now(), info_max_time)
| eval earliest=strptime(strftime(info_min_time, "%Y/%m/%dT%H:%M:%S") . " " . TZ, "%Y/%m/%dT%H:%M:%S %Z")
| eval latest=strptime(strftime(info_max_time, "%Y/%m/%dT%H:%M:%S") . " " . TZ, "%Y/%m/%dT%H:%M:%S %Z")
| table earliest latest
| format "" "" "" "" "" ""
| rex field=search mode=sed "s/\"//g"]

This search takes the Timepicker's values and translates them to a TZ="EST"-adjust string with earliest= ... latest= ... clause that will override the Timepicker. Your best bet is to take the subsearch and create a macro called timepickerTZ(1) and use it that way.

0 Karma