How can you adjust timezone in search? Convert UTC...

ebs · ‎07-25-2021

Hi, I have a field value 2021-07-26T00:30:51.411 UTC which I got from | eval strftime(_time,"%Y-%m-%dT%H:%M:%S.%Q %Z") how can I turn this field into the Brisbane timezone (+10 hrs)?

venkatasri · ‎07-26-2021

Hi @ebs

User settings should have been fine could be the way _time been extracted ignored TZ settings. You can try this as an alternative.

| makeresults 
| eval _time="2021-07-26T00:30:51.411 UTC" 
| eval _time=strptime(_time." +1000", "%Y-%m-%dT%H:%M:%S.%3Q %Z") 
| convert ctime(_time)

---

An upvote would be appreciated and Accept solution if this reply helps!

ebs · ‎07-26-2021

How can I apply this to a pre existing _time field value?

venkatasri · ‎07-26-2021

@ebs Above SPL replaces _time at search-time but not permanent to indexers.

venkatasri · ‎07-25-2021

Hi @ebs

If you are already under Brisbane timezone under user settings, and above said timestamp is mapped _time then your _time value is by default get adjusted to AEST isn't that you are after?

otherwise if time is a field not mapped to _time then a 10 hour shall be added to it.

ebs · ‎07-26-2021

Hi @venkatasri

Thanks for the answer but sadly this won't work for my use case as I'm using tstats and datamodels and even when my personal timezone is set to Brisbane the time of events is still in UTC. So it needs to be through SPL

How can you adjust timezone in search? Convert UTC to AEST

eval

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!