Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How do i convert CEST to IST?

Joshi_18
Engager
‎04-24-2023 11:54 PM

I'm new to splunk, can anyone help me to make convert time from CEST to IST using query.

Labels (2)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎04-25-2023 01:06 AM

OK. There is one thing you need to know about time manipulation in Splunk.

Splunk internally processes time as so called "unix timestamp" which means that it's just a number of seconds since Jan 1st 1970 0:00:00 UTC. So I'm writing this at a point in time which has 1682409489 timestamp.

If Splunk renders this time into a string value (either automatically as it does for the _time field or when you explicitly call the strftime()) function - it always uses the timezone defined for your user in preferences. And there is no way around it.

The soultion to which @SanjayReddy pointed you to is the only way to "cheat" Splunk - it effectively changes the timestamp to be rendered (so that you don't just render your given timestamp in another timezone but rather shift the whole timestamp by the timezone-specified offset), renders that timestamp in your local timezone (as I said - there is no way around it) and just doesn't show the timezone information (and optionally "glues" the fake "destination timezone" code). It is a very ugly hack and generally you should never do that and there is a very good rationale for keeping to one timezone - it prevents the confusion among your users.

So long story short - question is whether IST is your local timezone and you just want to parse the timestamp from logs from other timezone (that's relatively easy) or is CEST your local timezone and for some reason you want to render your timestamps in IST timezone (which is usually a bad idea).

Reply

Joshi_18
Engager
‎04-25-2023 04:01 AM

@PickleRick yes the second one which you said at the end

 

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎04-25-2023 04:06 AM

So the first answer is "don't do it at all". Because mixing timezones (especially if you don't give a very very clear indication of it) is only gonna confuse your users.

But I understand that in some - very rare - cases you might want to see what the given timestamp looks like in someone else's timezone (the obvious use case is if you interact with a person from another part of the globe in a multinational corpo). Then your only option is to "cheat" with this offsetting of the whole timestamp.

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎04-25-2023 06:03 AM

Or use option 3 on linked answer to change User's TZ on GUI preferences.

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎04-25-2023 06:14 AM

Sure, but that still won't let you see two timezones at the same time.

0 Karma
Reply

SanjayReddy
SplunkTrust
SplunkTrust
‎04-25-2023 12:09 AM

Hi @Joshi_18 

this post might help you 

https://community.splunk.com/t5/Getting-Data-In/How-to-convert-date-and-time-in-UTC-to-EST/m-p/20487...

Reply
Get Updates on the Splunk Community!

Data Management Digest – December 2025

Welcome to the December edition of Data Management Digest! As we continue our journey of data innovation, the ...

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...