Splunk Search

How can we convert a time from EST to UTC in Splunk search?

Motivator

A user tells us -

-- I need to convert time value from EST to UTC in Splunk search. Is there any function available to do this?

The user tried -

index=* 
| head 5 
| eval mytime=strftime(relative_time(_time, "+2d@d"),"%d/%b/%Y") 
| eval duedate=strftime(relative_time(_time, "+2d@d"),"%Y-%m-%dT%H:%M:%S+%Q") 
| eval eventtime= strftime(_time,"%Y-%m-%dT%H:%M:%S.0+0000") | eval utc_time =strftime(relative_time(_time, "+4h"), "%Y-%m-%dT%H:%M:%S.0+0000")
| table _time, host, duedate, eventtime, utc_time 
Tags (3)
0 Karma
1 Solution

Motivator

They had to send the time to Jira as a UTC timestamp.

We ended up doing -

| eval TimeZone=_time+" EST" | eval estFormatTime=strftime(strptime(TimeZone,"%s.%Q %Z"),"%Y-%m-%dT%H:%M:%S.000%Z") 
| eval FormatTime=strftime(strptime(TimeZone,"%s.%Q %Z"),"%Y-%m-%dT%H:%M:%S.000%z") 

Flipping between %Z, hard-coded as EST to lower z, %z, which gives the TZ difference in hours, such as -4:00, etc.

Based on @niketnilay response at How to convert date and time in UTC to EST?

View solution in original post

Motivator

They had to send the time to Jira as a UTC timestamp.

We ended up doing -

| eval TimeZone=_time+" EST" | eval estFormatTime=strftime(strptime(TimeZone,"%s.%Q %Z"),"%Y-%m-%dT%H:%M:%S.000%Z") 
| eval FormatTime=strftime(strptime(TimeZone,"%s.%Q %Z"),"%Y-%m-%dT%H:%M:%S.000%z") 

Flipping between %Z, hard-coded as EST to lower z, %z, which gives the TZ difference in hours, such as -4:00, etc.

Based on @niketnilay response at How to convert date and time in UTC to EST?

View solution in original post

SplunkTrust
SplunkTrust

@danielbb Glad you found the solution useful, by trapping the timezone you can perform a lot of mathematical conversions as well as per your needs. Do up-vote the original post if you found the answer useful.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

Motivator

Thank you @niketnilay!

0 Karma

SplunkTrust
SplunkTrust

Why is the user trying to convert time zones? What problem is he trying to solve?
If he just wants to see events in UTC then he just needs to change his profile.

---
If this reply helps you, an upvote would be appreciated.
0 Karma

Motivator

I'm trying something like -

| makeresults | eval Time="Mon July 23 2018 17:19:01.89 EST" 
| eval epoch=strptime(Time,"%a %B %d %Y %H:%M:%S.%N %Z")
| eval time_in_london=strftime(epoch,"%a %B %d %Y %H:%M:%S.%N UTC")
| table Time epoch time_in_london

Meaning, for time_in_london, I'm trying to hardcode UTC without much luck.

0 Karma

Motivator

One way to determine the time difference between two time zones is to take any date and treat is as a UTC time stamp and as an EST one and subtract their corresponding epoch times.

| makeresults 

| eval Time="Mon July 23 2018 17:19:01.89 UTC" 
| eval epoch_utc=strptime(Time,"%a %B %d %Y %H:%M:%S.%N %Z")

| eval Time="Mon July 23 2018 17:19:01.89 EST" 
| eval epoch_est=strptime(Time,"%a %B %d %Y %H:%M:%S.%N %Z")
| eval diff = (epoch_utc-epoch_est)/60/60

| table epoch_utc, epoch_est, diff

That shows the desired five but there might be a better way...

0 Karma