We have a situation where we'd like to construct a search based on a time/date from a remote Time zone. So for example, I would search for something in a form for something at 13:00 PST and the actual search needs to transform the PST to EST, and search created at 16:00. This may be totally simple and I'm just missing it. My thought was to use lookups to map Timezones. Has anyone done anything like this?
If you always want the users to query from the same fixed time zone, while the data comes in (correctly interpreted and converted by Splunk to the "real" UTC time), you could consider setting up a dedicated search head for that time zone. Make sure the Splunk process runs in that time zone, and all displayed and queried times will by default be displayed and queried using the time zone of the search head.
You can change the timeformat to any suitable strptime type format string. From the API it's easier, since you can just set et and lt to be the earliest and latest times, and time_format to be a strptime type format string.
Everything I do is all in the same timezone so I haven't run into this yet. However it reads like all of the dates are automatically converted when they are indexed so that they can be matched up when you search later. In other words, I think as long as the splunk datetime parser can figure out the timezone associated with the event, splunk takes care of the conversions for you.
Well, I think I have the reverse problem.. I have the correct time zones in the logs (EST) but I want users to query them based on a variable time zone. I'm looking to pass a time zone into my search, and have the logs searched offset correctly.