Splunk Search

How to search in UTC and of the format yyyy-mm-ddThh:mm:ss.SSSZ?

msg4sunil
Path Finder

On searching with the criteria, earliest="07/04/2021:09:48:00" latest="07/04/2021:09:48:59" searches in my local timezone of AEST and of the format %m/%d/%Y:%H:%M:%S

How do I force the above to take UTC timezone instead as criteria and also of the format "yyyy-mm-ddThh:mm:ss.SSSZ"

 

Thank you

Labels (1)
Tags (2)
0 Karma

tscroggins
Motivator

@msg4sunil 

Have you tried this?

 

 

 

timeformat="%m/%d/%Y:%H:%M:%S%Z" starttime="07/04/2021:09:48:00Z" endtime="07/04/2021:09:48:59Z"

 

Or this:

 

 

 

timeformat="%Y-%m-%dT%H:%M:%S.%3N%Z" starttime="2021-07-04T09:48:00.000Z" endtime="2021-07-04T09:48:59.999Z"

 

But you probably want this:

 

 

timeformat="%Y-%m-%dT%H:%M%Z" starttime="2021-07-04T09:48Z" endtime="2021-07-04T09:49Z"

unless you explicitly have millisecond precision and want to use that as an upper bound. Time ranges should be read as starttime (or earliest) >= T0 and endtime (or latest) < T1.

Date and time format variables are documented at <https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Commontimeformatvariables>.

0 Karma
Get Updates on the Splunk Community!

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...