Splunk Search

How to convert epoch to local time?

Contributor

Hi!

I have log entries with a timestamp embedded for expiration inside the log event.

What's the best way to convert the newly generated epoch to local time?

log sample

EXPIRES Feb 11 17:11:15 2015 GMT

Search:

   ...  | rex "(?i)EXPIRES (?P.*) | eval epochtime=strptime(TEST, "%b %d %H:%M:%S %Y") | eval ET=strftime(epochtime,"%b %d %H:%M:%S %Y") 

Output sample:

TEST                       epochtime            ET
Feb 11 17:11:15 2015 GMT   1423674687.000000    Feb 11 17:11:15 2015 
0 Karma
1 Solution

Contributor
| eval te=strptime(t,"%b %d %T %Y %Z") | eval tl=strftime(te,"%b %d %T %Y %Z")

You need to include the timezone capture (%Z) so that splunk can calculate what the offset needs to be.

View solution in original post

Contributor
| eval te=strptime(t,"%b %d %T %Y %Z") | eval tl=strftime(te,"%b %d %T %Y %Z")

You need to include the timezone capture (%Z) so that splunk can calculate what the offset needs to be.

View solution in original post