Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How do i convert CEST to IST?

Joshi_18
Engager
‎04-24-2023 11:54 PM

I'm new to splunk, can anyone help me to make convert time from CEST to IST using query.

Labels (2)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎04-25-2023 01:06 AM

OK. There is one thing you need to know about time manipulation in Splunk.

Splunk internally processes time as so called "unix timestamp" which means that it's just a number of seconds since Jan 1st 1970 0:00:00 UTC. So I'm writing this at a point in time which has 1682409489 timestamp.

If Splunk renders this time into a string value (either automatically as it does for the _time field or when you explicitly call the strftime()) function - it always uses the timezone defined for your user in preferences. And there is no way around it.

The soultion to which @SanjayReddy pointed you to is the only way to "cheat" Splunk - it effectively changes the timestamp to be rendered (so that you don't just render your given timestamp in another timezone but rather shift the whole timestamp by the timezone-specified offset), renders that timestamp in your local timezone (as I said - there is no way around it) and just doesn't show the timezone information (and optionally "glues" the fake "destination timezone" code). It is a very ugly hack and generally you should never do that and there is a very good rationale for keeping to one timezone - it prevents the confusion among your users.

So long story short - question is whether IST is your local timezone and you just want to parse the timestamp from logs from other timezone (that's relatively easy) or is CEST your local timezone and for some reason you want to render your timestamps in IST timezone (which is usually a bad idea).

Reply

Joshi_18
Engager
‎04-25-2023 04:01 AM

@PickleRick yes the second one which you said at the end

 

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎04-25-2023 04:06 AM

So the first answer is "don't do it at all". Because mixing timezones (especially if you don't give a very very clear indication of it) is only gonna confuse your users.

But I understand that in some - very rare - cases you might want to see what the given timestamp looks like in someone else's timezone (the obvious use case is if you interact with a person from another part of the globe in a multinational corpo). Then your only option is to "cheat" with this offsetting of the whole timestamp.

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎04-25-2023 06:03 AM

Or use option 3 on linked answer to change User's TZ on GUI preferences.

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎04-25-2023 06:14 AM

Sure, but that still won't let you see two timezones at the same time.

0 Karma
Reply

SanjayReddy
SplunkTrust
SplunkTrust
‎04-25-2023 12:09 AM

Hi @Joshi_18 

this post might help you 

https://community.splunk.com/t5/Getting-Data-In/How-to-convert-date-and-time-in-UTC-to-EST/m-p/20487...

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...