Get Utc in your _time dimension when using TimeCha...

harrisflourentz · ‎11-05-2019

Hi,

Intro:
I understand that splunk populates the _time field at index time, from valid date strings in the raw event data. This time is parsed as Unix Utc time, but it is displayed to Local time in Splunk Web.

Problem:
I know how I would go about evaluating a new DisplayUtcTime field to use during my queries. I want to know however how to produce timecharts (with the TimeChart command) plotted(displayed) with Utc rather than Local time.

[Again, I am aware that I can produce a similar result while using chart command if I say "over DisplayUtcTime", but I like the feature of timechart command that it automatically produces a sensible time span depending on the time range of your search]

Use Case:
More specifically, I use Splunk.Client C# Sdk to send search queries (jobs), and whenever I receive any kind of time results back (TimeCharts, Latest(_time), etc.) I always receive them to Local Time. Is there a way to specify through the sdk (or directly on the queries) that I want the results in UTC ?

[Note: I don't really have access to the splunk config file, neither I can make any admin changes through the enterprise account.]

Please correct me if I am making any false assumptions at any point. Thank you.

harrisflourentz · ‎11-06-2019

After Mary's answer, I played around with this a bit more and voila:
index=SomeIndex earliest=10/23/2019:12:00:00 latest=10/28/2019:12:00:00 | eval UserLower=lower(User) | timechart count by UserLower | rename UserLower as "User ID" **| eval timeOffset=strftime(_time, "%:::z") | eval _time=strftime(_time - 60*60*timeOffset, "%Y-%m-%dT%H:%M:%SZ")**

Conclusion: You need to evaluate your readable date format (whatever that is) on top of the _time field only AFTER you have asked splunk to produce the timechart using the original _time field (which holds the time in Unix time format just the way splunk likes it).

Please feel free to comment and suggest more elegant/appropriate solutions.

marycordova · ‎11-05-2019

You can change your UI preferences to display in UTC, that would be the fastest, most simple, and most comprehensive solution.

Otherwise, you can rename your eval timestamp DisplayUtcTime as _time then run timechart and it will use the value you set in DisplayUtcTime as _time in timechart.

@marycordova

harrisflourentz · ‎11-06-2019

Hi Mary,

Thank you for your answer.

Option 1 unfortunately does not work for me since I get search results back through the C# sdk
Option 2, I think I would need a bit more clarification:

Here is the search that I run:
index=SomeIndex earliest=-30d latest=-29d | eval UserLower=lower(User) | timechart count by UserLower | rename UserLower as "User ID"
Here is what I understand you are suggesting:
index=SomeIndex earliest=-30d latest=-29d | eval UserLower=lower(User) | eval timeOffset=strftime(_time, "%:::z") | eval displayUtcTime=strftime(_time - 60*60*timeOffset, "%Y-%m-%d %H:%M:%S") | timechart count by UserLower | rename UserLower as "User ID" | rename _time as displayUtcTime (or rename displayUtcTime as _time)
But the above will not work since splunk needs _time to be in Unix format to produce a valid chart.

harrisflourentz · ‎11-06-2019

I thought of work around however, that will work since I am using an SDK rather. I can always ask splunk to return _time in Unix --> just | rename _time as Time at the end of any chart/timechart search command and then convert the Unix time (which is always in UTC) to a C# DateTime type.

Get Utc in your _time dimension when using TimeChart

Introducing the Splunk Community Dashboard Challenge!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...