Splunk Search

Date / Time stamp translation in search

thartmann
Path Finder

We have a situation where we'd like to construct a search based on a time/date from a remote Time zone. So for example, I would search for something in a form for something at 13:00 PST and the actual search needs to transform the PST to EST, and search created at 16:00. This may be totally simple and I'm just missing it. My thought was to use lookups to map Timezones. Has anyone done anything like this?

Thanks!

Tags (2)

gkanapathy
Splunk Employee
Splunk Employee

If you always want the users to query from the same fixed time zone, while the data comes in (correctly interpreted and converted by Splunk to the "real" UTC time), you could consider setting up a dedicated search head for that time zone. Make sure the Splunk process runs in that time zone, and all displayed and queried times will by default be displayed and queried using the time zone of the search head.

Stephen_Sorkin
Splunk Employee
Splunk Employee

If you want to search using a time string, with a time zone, as part of the search itself (and not as API arguments), you can use the following syntax:

timeformat="%Y-%m-%dT%H:%M:%S%:z" earliest="2010-08-15T00:00:00-07:00" latest=...

You can change the timeformat to any suitable strptime type format string. From the API it's easier, since you can just set et and lt to be the earliest and latest times, and time_format to be a strptime type format string.

0 Karma

rotten
Communicator

Have you seen the documentation notes on timezones? http://www.splunk.com/base/Documentation/4.1.4/admin/ApplyTimezoneOffsetstotimestamps

Everything I do is all in the same timezone so I haven't run into this yet. However it reads like all of the dates are automatically converted when they are indexed so that they can be matched up when you search later. In other words, I think as long as the splunk datetime parser can figure out the timezone associated with the event, splunk takes care of the conversions for you.

0 Karma

thartmann
Path Finder

Well, I think I have the reverse problem.. I have the correct time zones in the logs (EST) but I want users to query them based on a variable time zone. I'm looking to pass a time zone into my search, and have the logs searched offset correctly.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...