Splunk Search
Highlighted

Date / Time stamp translation in search

Path Finder

We have a situation where we'd like to construct a search based on a time/date from a remote Time zone. So for example, I would search for something in a form for something at 13:00 PST and the actual search needs to transform the PST to EST, and search created at 16:00. This may be totally simple and I'm just missing it. My thought was to use lookups to map Timezones. Has anyone done anything like this?

Thanks!

Tags (2)
Highlighted

Re: Date / Time stamp translation in search

Communicator

Have you seen the documentation notes on timezones? http://www.splunk.com/base/Documentation/4.1.4/admin/ApplyTimezoneOffsetstotimestamps

Everything I do is all in the same timezone so I haven't run into this yet. However it reads like all of the dates are automatically converted when they are indexed so that they can be matched up when you search later. In other words, I think as long as the splunk datetime parser can figure out the timezone associated with the event, splunk takes care of the conversions for you.

0 Karma
Highlighted

Re: Date / Time stamp translation in search

Path Finder

Well, I think I have the reverse problem.. I have the correct time zones in the logs (EST) but I want users to query them based on a variable time zone. I'm looking to pass a time zone into my search, and have the logs searched offset correctly.

0 Karma
Highlighted

Re: Date / Time stamp translation in search

Splunk Employee
Splunk Employee

If you want to search using a time string, with a time zone, as part of the search itself (and not as API arguments), you can use the following syntax:

timeformat="%Y-%m-%dT%H:%M:%S%:z" earliest="2010-08-15T00:00:00-07:00" latest=...

You can change the timeformat to any suitable strptime type format string. From the API it's easier, since you can just set et and lt to be the earliest and latest times, and time_format to be a strptime type format string.

0 Karma
Highlighted

Re: Date / Time stamp translation in search

Splunk Employee
Splunk Employee

If you always want the users to query from the same fixed time zone, while the data comes in (correctly interpreted and converted by Splunk to the "real" UTC time), you could consider setting up a dedicated search head for that time zone. Make sure the Splunk process runs in that time zone, and all displayed and queried times will by default be displayed and queried using the time zone of the search head.