A user tells us -
-- I need to convert time value from EST to UTC in Splunk search. Is there any function available to do this?
The user tried -
index=*
| head 5
| eval mytime=strftime(relative_time(_time, "+2d@d"),"%d/%b/%Y")
| eval duedate=strftime(relative_time(_time, "+2d@d"),"%Y-%m-%dT%H:%M:%S+%Q")
| eval eventtime= strftime(_time,"%Y-%m-%dT%H:%M:%S.0+0000") | eval utc_time =strftime(relative_time(_time, "+4h"), "%Y-%m-%dT%H:%M:%S.0+0000")
| table _time, host, duedate, eventtime, utc_time
They had to send the time to Jira as a UTC timestamp.
We ended up doing -
| eval TimeZone=_time+" EST" | eval estFormatTime=strftime(strptime(TimeZone,"%s.%Q %Z"),"%Y-%m-%dT%H:%M:%S.000%Z")
| eval FormatTime=strftime(strptime(TimeZone,"%s.%Q %Z"),"%Y-%m-%dT%H:%M:%S.000%z")
Flipping between %Z, hard-coded as EST to lower z, %z, which gives the TZ difference in hours, such as -4:00, etc.
Based on @niketnilay response at How to convert date and time in UTC to EST?
They had to send the time to Jira as a UTC timestamp.
We ended up doing -
| eval TimeZone=_time+" EST" | eval estFormatTime=strftime(strptime(TimeZone,"%s.%Q %Z"),"%Y-%m-%dT%H:%M:%S.000%Z")
| eval FormatTime=strftime(strptime(TimeZone,"%s.%Q %Z"),"%Y-%m-%dT%H:%M:%S.000%z")
Flipping between %Z, hard-coded as EST to lower z, %z, which gives the TZ difference in hours, such as -4:00, etc.
Based on @niketnilay response at How to convert date and time in UTC to EST?
@danielbb Glad you found the solution useful, by trapping the timezone you can perform a lot of mathematical conversions as well as per your needs. Do up-vote the original post if you found the answer useful.
Thank you @niketnilay!
Why is the user trying to convert time zones? What problem is he trying to solve?
If he just wants to see events in UTC then he just needs to change his profile.
I'm trying something like -
| makeresults | eval Time="Mon July 23 2018 17:19:01.89 EST"
| eval epoch=strptime(Time,"%a %B %d %Y %H:%M:%S.%N %Z")
| eval time_in_london=strftime(epoch,"%a %B %d %Y %H:%M:%S.%N UTC")
| table Time epoch time_in_london
Meaning, for time_in_london
, I'm trying to hardcode UTC
without much luck.
One way to determine the time difference between two time zones is to take any date and treat is as a UTC time stamp and as an EST one and subtract their corresponding epoch times.
| makeresults
| eval Time="Mon July 23 2018 17:19:01.89 UTC"
| eval epoch_utc=strptime(Time,"%a %B %d %Y %H:%M:%S.%N %Z")
| eval Time="Mon July 23 2018 17:19:01.89 EST"
| eval epoch_est=strptime(Time,"%a %B %d %Y %H:%M:%S.%N %Z")
| eval diff = (epoch_utc-epoch_est)/60/60
| table epoch_utc, epoch_est, diff
That shows the desired five but there might be a better way...