I have imported data with daytime in GMT time zone.
I need count events group by on variable interval (day,week or month) . I use a search query like this:
<mysearch>|
bucket _time span=1d | stats count as newUsersForPerido by _time
And this return counts over every day on GMT timezone.
Now I need to use this query in different time zones for example UTC+03:00 and UTC-04:00 how I can modify my search string?
The easiest way is just to adjust _time
like this:
... | eval _time = _time + (3*60*60) | bucket _time span=1d | stats count as newUsersForPerido by _time
Be sure to also adjust your timepicker
to be 3 hours earlier on both sides so you pull in the correct events.
Also, you can adjust your user settings at Your User Name
-> Edit account
-> Time zone
to put in different values. This setting controls the normalization of the timepicker
when you pick settings that are date-relative (e.g. Today
, Last 7 days
, etc.).
The easiest way is just to adjust _time
like this:
... | eval _time = _time + (3*60*60) | bucket _time span=1d | stats count as newUsersForPerido by _time
Be sure to also adjust your timepicker
to be 3 hours earlier on both sides so you pull in the correct events.
In which timezone are the events generated? Are they all GMT?
http://docs.splunk.com/Documentation/Splunk/latest/data/Applytimezoneoffsetstotimestamps
Yes all events are generetad in GMT