Splunk Search

## How can we convert a time from EST to UTC in Splunk search?

Motivator

A user tells us -

-- I need to convert time value from EST to UTC in Splunk search. Is there any function available to do this?

The user tried -

``````index=*
| eval mytime=strftime(relative_time(_time, "+2d@d"),"%d/%b/%Y")
| eval duedate=strftime(relative_time(_time, "+2d@d"),"%Y-%m-%dT%H:%M:%S+%Q")
| eval eventtime= strftime(_time,"%Y-%m-%dT%H:%M:%S.0+0000") | eval utc_time =strftime(relative_time(_time, "+4h"), "%Y-%m-%dT%H:%M:%S.0+0000")
| table _time, host, duedate, eventtime, utc_time
``````
Tags (3)
1 Solution
Motivator

They had to send the time to Jira as a UTC timestamp.

We ended up doing -

``````| eval TimeZone=_time+" EST" | eval estFormatTime=strftime(strptime(TimeZone,"%s.%Q %Z"),"%Y-%m-%dT%H:%M:%S.000%Z")
| eval FormatTime=strftime(strptime(TimeZone,"%s.%Q %Z"),"%Y-%m-%dT%H:%M:%S.000%z")
``````

Flipping between %Z, hard-coded as EST to lower z, %z, which gives the TZ difference in hours, such as -4:00, etc.

Based on @niketnilay response at How to convert date and time in UTC to EST?

Motivator

They had to send the time to Jira as a UTC timestamp.

We ended up doing -

``````| eval TimeZone=_time+" EST" | eval estFormatTime=strftime(strptime(TimeZone,"%s.%Q %Z"),"%Y-%m-%dT%H:%M:%S.000%Z")
| eval FormatTime=strftime(strptime(TimeZone,"%s.%Q %Z"),"%Y-%m-%dT%H:%M:%S.000%z")
``````

Flipping between %Z, hard-coded as EST to lower z, %z, which gives the TZ difference in hours, such as -4:00, etc.

Based on @niketnilay response at How to convert date and time in UTC to EST? SplunkTrust

@danielbb Glad you found the solution useful, by trapping the timezone you can perform a lot of mathematical conversions as well as per your needs. Do up-vote the original post if you found the answer useful.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Motivator

Thank you @niketnilay! SplunkTrust

Why is the user trying to convert time zones? What problem is he trying to solve?
If he just wants to see events in UTC then he just needs to change his profile.

---
If this reply helps you, an upvote would be appreciated.
Motivator

I'm trying something like -

``````| makeresults | eval Time="Mon July 23 2018 17:19:01.89 EST"
| eval epoch=strptime(Time,"%a %B %d %Y %H:%M:%S.%N %Z")
| eval time_in_london=strftime(epoch,"%a %B %d %Y %H:%M:%S.%N UTC")
| table Time epoch time_in_london
``````

Meaning, for `time_in_london`, I'm trying to hardcode `UTC` without much luck.

Motivator

One way to determine the time difference between two time zones is to take any date and treat is as a UTC time stamp and as an EST one and subtract their corresponding epoch times.

``````| makeresults

| eval Time="Mon July 23 2018 17:19:01.89 UTC"
| eval epoch_utc=strptime(Time,"%a %B %d %Y %H:%M:%S.%N %Z")

| eval Time="Mon July 23 2018 17:19:01.89 EST"
| eval epoch_est=strptime(Time,"%a %B %d %Y %H:%M:%S.%N %Z")
| eval diff = (epoch_utc-epoch_est)/60/60

| table epoch_utc, epoch_est, diff
``````

That shows the desired five but there might be a better way...  