Splunk Search

Specify time zone in static earliest and latest times?

reed_kelly
Contributor

I would like to send a search with a specific time range to people in different time zones. I can use earliest and latest to specify an exact time, but I don't see how to specify the timezone for each. Is there a convenient way to do this, or should I create a macro that computes the time appropriate for each user.

Here is what I do now:
base search ... earliest="2/1/2018:10:00:00" latest="2/1/2018:10:05:00"

I would like to do this:
base search ... earliest="2/1/2018:10:00:00 +00:00" latest="2/1/2018:10:05:00 +00:00"

OR
base search ... earliest="2/1/2018:10:00:00 UTC" latest="2/1/2018:10:05:00 UTC"

but neither of these work.

I know that I can add a macro or a bunch of SPL to make something work, but I was hoping for simplicity.

Labels (1)
0 Karma
1 Solution

reed_kelly
Contributor

I found a possible answer:

base search ... earliest=1517479200 latest=1517479500

Since epoch time is always UTC, this can be given to anyone. It's pretty convenient. I might create something to allow me to cut and paste the Splunk search time range into it to convert to this format.

View solution in original post

0 Karma

reed_kelly
Contributor

I found a possible answer:

base search ... earliest=1517479200 latest=1517479500

Since epoch time is always UTC, this can be given to anyone. It's pretty convenient. I might create something to allow me to cut and paste the Splunk search time range into it to convert to this format.

0 Karma

Scott_K
Explorer

Do you know how I would handle a search where I need to exclude a certain time period , such as this (these times are in UTC):

| eval Hour=strftime(_time,"%H")
| eval Minute=strftime(_time,"%M")
| search NOT ( (Hour=00 AND Minute >= 00) AND (Hour=00 AND Minute <= 20) )

0 Karma

elliotproebstel
Champion

Yes, that's exactly what you should do! Do you want help converting? It'll be a pretty straightforward application of the strptime function. You'll want these: http://docs.splunk.com/Documentation/Splunk/7.0.2/SearchReference/Commontimeformatvariables

0 Karma

reed_kelly
Contributor

I'm good with that. Thanks for your help.

0 Karma

elliotproebstel
Champion

When you send these timestamps to users in various time zones, do you want them to wind up each searching for the same time window, regardless of their locale (e.g. they all look at the web proxy logs for events at 1:05PM-1:10PM EDT) or do you want them to wind up searching for time windows relevant to their respective locales (e.g. they all look at web proxy logs for events that occurred at 1:05PM-1:10PM in their local time zones)?

reed_kelly
Contributor

Thanks for commenting. I want them to find the exact same events that I saw without giving them a URL.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...