Splunk Search

How can we convert a time from EST to UTC in Splunk search?

danielbb
Motivator

A user tells us -

-- I need to convert time value from EST to UTC in Splunk search. Is there any function available to do this?

The user tried -

index=* 
| head 5 
| eval mytime=strftime(relative_time(_time, "+2d@d"),"%d/%b/%Y") 
| eval duedate=strftime(relative_time(_time, "+2d@d"),"%Y-%m-%dT%H:%M:%S+%Q") 
| eval eventtime= strftime(_time,"%Y-%m-%dT%H:%M:%S.0+0000") | eval utc_time =strftime(relative_time(_time, "+4h"), "%Y-%m-%dT%H:%M:%S.0+0000")
| table _time, host, duedate, eventtime, utc_time 
Tags (3)
0 Karma
1 Solution

danielbb
Motivator

They had to send the time to Jira as a UTC timestamp.

We ended up doing -

| eval TimeZone=_time+" EST" | eval estFormatTime=strftime(strptime(TimeZone,"%s.%Q %Z"),"%Y-%m-%dT%H:%M:%S.000%Z") 
| eval FormatTime=strftime(strptime(TimeZone,"%s.%Q %Z"),"%Y-%m-%dT%H:%M:%S.000%z") 

Flipping between %Z, hard-coded as EST to lower z, %z, which gives the TZ difference in hours, such as -4:00, etc.

Based on @niketnilay response at How to convert date and time in UTC to EST?

View solution in original post

danielbb
Motivator

They had to send the time to Jira as a UTC timestamp.

We ended up doing -

| eval TimeZone=_time+" EST" | eval estFormatTime=strftime(strptime(TimeZone,"%s.%Q %Z"),"%Y-%m-%dT%H:%M:%S.000%Z") 
| eval FormatTime=strftime(strptime(TimeZone,"%s.%Q %Z"),"%Y-%m-%dT%H:%M:%S.000%z") 

Flipping between %Z, hard-coded as EST to lower z, %z, which gives the TZ difference in hours, such as -4:00, etc.

Based on @niketnilay response at How to convert date and time in UTC to EST?

niketn
Legend

@danielbb Glad you found the solution useful, by trapping the timezone you can perform a lot of mathematical conversions as well as per your needs. Do up-vote the original post if you found the answer useful.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

danielbb
Motivator

Thank you @niketnilay!

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Why is the user trying to convert time zones? What problem is he trying to solve?
If he just wants to see events in UTC then he just needs to change his profile.

---
If this reply helps you, Karma would be appreciated.
0 Karma

danielbb
Motivator

I'm trying something like -

| makeresults | eval Time="Mon July 23 2018 17:19:01.89 EST" 
| eval epoch=strptime(Time,"%a %B %d %Y %H:%M:%S.%N %Z")
| eval time_in_london=strftime(epoch,"%a %B %d %Y %H:%M:%S.%N UTC")
| table Time epoch time_in_london

Meaning, for time_in_london, I'm trying to hardcode UTC without much luck.

0 Karma

danielbb
Motivator

One way to determine the time difference between two time zones is to take any date and treat is as a UTC time stamp and as an EST one and subtract their corresponding epoch times.

| makeresults 

| eval Time="Mon July 23 2018 17:19:01.89 UTC" 
| eval epoch_utc=strptime(Time,"%a %B %d %Y %H:%M:%S.%N %Z")

| eval Time="Mon July 23 2018 17:19:01.89 EST" 
| eval epoch_est=strptime(Time,"%a %B %d %Y %H:%M:%S.%N %Z")
| eval diff = (epoch_utc-epoch_est)/60/60

| table epoch_utc, epoch_est, diff

That shows the desired five but there might be a better way...

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...