How to edit my command to convert UTC time to EST ...

ronaldsc · ‎09-28-2016

Trying to figure out why converting time, which is stored in UTC, is not being converted correctly when going to EST. What I expect to see is -4 hours of what I have stored under my _time value and/or another field which has the same values as well. When I run the following command I get +5 hours from my UTC time. Not sure what I am doing wrong, I'm really new to Splunk so if someone could explain it that would be great.

| eval est=strptime(strftime(_time,"%Y-%m-%d %H:%M:%S EST"),"%Y-%m-%d %H:%M:%S %Z")
| eval local=strftime(est,"%Y-%m-%d %H:%M:%S")
| table _time, local

Here are my two values for _time and d_time. As you guys can see they are both stored in the same exact way. What I've been trying to do, with no success, is convert that to Eastern time.

 _time  = 2012-03-01T22:34:28.000+00:00  
d_time = 2012-03-01T22:34:28.000+00:00

Also - forgot to mention. I am able to get the correct offset by subtracting hours in seconds from _time. But that doesn't seem like the right way to go about this.

somesoni2 · ‎09-28-2016

Assuming that your timezone is set to UTC (as the _time shows the date in UTC), try something like this to convert _time to any timezone that you specify in the eval (I'm converting to EST here)

your base search with _time in UTC |  eval _time=_time-(strptime(strftime(_time,"%Y-%m-%dT%H:%M:%S.%3N")." EST","%Y-%m-%dT%H:%M:%S.%N%Z")-_time)

It's basically calculating the offset seconds automatically and substracting (or adding based on difference in current TZ versus one that you specify) in in the _time.

How to edit my command to convert UTC time to EST time?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!