Splunk Search

Add a number of hours to a search field?

balcv
Contributor

I have a field returned with some search data that contains a date and time in UTC.  I would like to be able to add 10 hours to the time.

a) Field contents(dateTime UTC):  2023-05-08T00:24:37.6079338Z

b) New field (Local dateTime):         2023-05-08 10:24:37.607

Is there a way to do the conversion from a) to b) in the search syntax?

Labels (1)
0 Karma

scelikok
SplunkTrust
SplunkTrust

Hi @balcv,

You can use below;

| eval newtime=strftime(strptime(datefield,"%Y-%m-%dT%H:%M:%S.%7QZ")+36000,"%Y-%m-%dT%H:%M:%S.%3QZ")
If this reply helps you an upvote and "Accept as Solution" is appreciated.

balcv
Contributor

Perfect thanks @scelikok 

0 Karma
Get Updates on the Splunk Community!

SOC4Kafka - New Kafka Connector Powered by OpenTelemetry

The new SOC4Kafka connector, built on OpenTelemetry, enables the collection of Kafka messages and forwards ...

Your Voice Matters! Help Us Shape the New Splunk Lantern Experience

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Building Momentum: Splunk Developer Program at .conf25

At Splunk, developers are at the heart of innovation. That’s why this year at .conf25, we officially launched ...