How to edit my command to convert UTC time to EST ...

ronaldsc · ‎09-28-2016

Trying to figure out why converting time, which is stored in UTC, is not being converted correctly when going to EST. What I expect to see is -4 hours of what I have stored under my _time value and/or another field which has the same values as well. When I run the following command I get +5 hours from my UTC time. Not sure what I am doing wrong, I'm really new to Splunk so if someone could explain it that would be great.

| eval est=strptime(strftime(_time,"%Y-%m-%d %H:%M:%S EST"),"%Y-%m-%d %H:%M:%S %Z")
| eval local=strftime(est,"%Y-%m-%d %H:%M:%S")
| table _time, local

Here are my two values for _time and d_time. As you guys can see they are both stored in the same exact way. What I've been trying to do, with no success, is convert that to Eastern time.

 _time  = 2012-03-01T22:34:28.000+00:00  
d_time = 2012-03-01T22:34:28.000+00:00

Also - forgot to mention. I am able to get the correct offset by subtracting hours in seconds from _time. But that doesn't seem like the right way to go about this.

somesoni2 · ‎09-28-2016

Assuming that your timezone is set to UTC (as the _time shows the date in UTC), try something like this to convert _time to any timezone that you specify in the eval (I'm converting to EST here)

your base search with _time in UTC |  eval _time=_time-(strptime(strftime(_time,"%Y-%m-%dT%H:%M:%S.%3N")." EST","%Y-%m-%dT%H:%M:%S.%N%Z")-_time)

It's basically calculating the offset seconds automatically and substracting (or adding based on difference in current TZ versus one that you specify) in in the _time.

How to edit my command to convert UTC time to EST time?

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio