Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How do i convert CEST to IST?

Joshi_18
Engager
‎04-24-2023 11:54 PM

I'm new to splunk, can anyone help me to make convert time from CEST to IST using query.

Labels (2)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎04-25-2023 01:06 AM

OK. There is one thing you need to know about time manipulation in Splunk.

Splunk internally processes time as so called "unix timestamp" which means that it's just a number of seconds since Jan 1st 1970 0:00:00 UTC. So I'm writing this at a point in time which has 1682409489 timestamp.

If Splunk renders this time into a string value (either automatically as it does for the _time field or when you explicitly call the strftime()) function - it always uses the timezone defined for your user in preferences. And there is no way around it.

The soultion to which @SanjayReddy pointed you to is the only way to "cheat" Splunk - it effectively changes the timestamp to be rendered (so that you don't just render your given timestamp in another timezone but rather shift the whole timestamp by the timezone-specified offset), renders that timestamp in your local timezone (as I said - there is no way around it) and just doesn't show the timezone information (and optionally "glues" the fake "destination timezone" code). It is a very ugly hack and generally you should never do that and there is a very good rationale for keeping to one timezone - it prevents the confusion among your users.

So long story short - question is whether IST is your local timezone and you just want to parse the timestamp from logs from other timezone (that's relatively easy) or is CEST your local timezone and for some reason you want to render your timestamps in IST timezone (which is usually a bad idea).

Reply

Joshi_18
Engager
‎04-25-2023 04:01 AM

@PickleRick yes the second one which you said at the end

 

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎04-25-2023 04:06 AM

So the first answer is "don't do it at all". Because mixing timezones (especially if you don't give a very very clear indication of it) is only gonna confuse your users.

But I understand that in some - very rare - cases you might want to see what the given timestamp looks like in someone else's timezone (the obvious use case is if you interact with a person from another part of the globe in a multinational corpo). Then your only option is to "cheat" with this offsetting of the whole timestamp.

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎04-25-2023 06:03 AM

Or use option 3 on linked answer to change User's TZ on GUI preferences.

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎04-25-2023 06:14 AM

Sure, but that still won't let you see two timezones at the same time.

0 Karma
Reply

SanjayReddy
SplunkTrust
SplunkTrust
‎04-25-2023 12:09 AM

Hi @Joshi_18 

this post might help you 

https://community.splunk.com/t5/Getting-Data-In/How-to-convert-date-and-time-in-UTC-to-EST/m-p/20487...

Reply
Get Updates on the Splunk Community!

Detecting Brute Force Account Takeover Fraud with Splunk

This article is the second in a three-part series exploring advanced fraud detection techniques using Splunk. ...

Buttercup Games: Further Dashboarding Techniques (Part 9)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Buttercup Games: Further Dashboarding Techniques (Part 8)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
Top